Bastian Germann writes:
> Am 02.06.21 um 17:33 schrieb Tobias Frost:
>> Is this RFS package now a downloader or the library itself?
>
> It's both. The -dev package is created from the source files and
> resides in main. The library package contains the downloader as a
> postinst script, which checks the known SHA256 hashes.
> There are some example userspace tools available in the package which
> could potentially be packaged in an additional package. I left this
> for a later version.
>
> There is also a chance that reproducible build might be implemented:
> https://github.com/cisco/openh264/issues/893
> When that works, the package could build the lib, verify the resulting
> hashes, and throw away the built binary. That way we could be sure not
> to have any additions to the downloaded library that are not available
> as source.
>
> I think, as Cisco provides the patent license, having the downloader
> in contrib (for some architectures) is better than having the built
> library in main (for all compiling architectures). We could also
> provide both. Any thoughts?

As I understand Debian Policy, downloading anything during postinst is
discouraged, if not banned.  So it would be best to avoid it.

In terms of the patent license, I do not think that x264 has any special
dispensation.  So just directly building and packaging openh264 should
not open Debian to any significant additional liability.  But as always,
the FTP masters will be the final arbiter of that.

Cheers,
Walter

Reply via email to