On Wed, 08 Dec 2021 at 03:10:31 +0000, Stephan Verbücheln wrote: > On Tue, 2021-12-07 at 23:35 +0000, Simon McVittie wrote: > > Flathub generally requires builds to be done on Flathub's > > infrastructure, from source code if possible, in the same way Debian > > generally requires builds to be done on buildds, from source if > > possible. > > Are you sure about that? Is there a policy?
I thought there was a socially-enforced policy, but I can't find it written down, and perhaps it doesn't exist. Certainly the preference is that apps are built from source where possible, as Ungoogled Chromium seems to be, but that's never going to be mechanically enforceable without some sort of gatekeeper reviewing every update, which scales poorly - imagine what would happen if every Debian package upload went through NEW... There is a weaker technically-enforced policy, similar to what we have in Debian when non-free packages are built on buildds: the package needs to be "built" on Flathub infrastructure from a flatpak-builder manifest, but depending on the package, that might be from real source code, or it might be just unpacking prebuilt binaries from the archives that are listed as the "source code". I had thought that prebuilt binaries were only used for non-free packages where source code is not available at all (like Steam Link), but it seems it is also done for some packages where source code is available but hard to build. The way in which Firefox is different is that it has an exception to that weaker technically-enforced policy: there's no flatpak-builder manifest for Firefox in Flathub's Github project, and builds done by Mozilla get imported into the ostree repository directly. smcv