HyperWiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
dev:packaging:guidelines [2017/09/26 23:04]
coadde removed 		— (current)
Line 1: Line 1:
-====== The Hyperbola Packaging Guidelines ====== 
  
-The Hyperbola Packaging Guidelines is the commitment that we, the Hyperbola Project, make to the Free Software Community in general and our users in particular. It is because of this that our packaging guidelines will always follow the philosophy of freedom, privacy, stability and security. 
- 
-  - **Freedom**: All packages in Hyperbola follow the [[https://www.gnu.org/distros/free-system-distribution-guidelines.html|GNU Free System Distribution Guidelines]]. They do not include or recommend non-free software or documentation and do not provide any type of support for the installation or execution of non-free software. This includes: 
-    * a) Proprietary software 
-    * b) [[https://www.gnu.org/philosophy/who-does-that-server-really-serve.html|Service as a Software Substitute (SaaSS)]] 
-    * c) Binary only firmware or binary blobs. 
-  - **Privacy**: Hyperbola's objective is to support [[https://www.gnu.org/philosophy/surveillance-vs-democracy.html|privacy]] of its community. This includes: 
-    * a) Software built and patched to be secure from global data surveillance revealed in the [[https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded|publication of Snowden's NSA documents]]. 
-    * b) Additional hardened packages which remove lower level protocols that may cause privacy leaks, metadata/fingerprinting, and vulnerabilities. 
-  - **Snapshot versions**: Since Hyperbola is a long-term support (LTS) distribution; it is adapted to maintain packages in above-mentioned date in our mailing lists or announcements in the main page.  Exceptions are considered if: 
-    * a) If a package version in the snapshot is 1.1.0, and there is a bugfix in 1.1.1, it could be upgraded because it is a revision, not a strong upgrade or a drastic version change. 
-    * b) If a package version in the snapshot is 1.1.0.a, and there is a bugfix in 1.1.0.b, it could be upgraded because it is a revision, not a strong upgrade or a drastic version change. 
-    * c) If a package version in the snapshot is 1.1.0-beta, and there is a final version in 1.1.0, it could be upgraded. 
-    * d) If a package version in the snapshot is 1.1.0-beta without plans for a final version, and there is a 2.0.0-rc, it could be upgraded as exception. 
-  - **Free software projects**: If there is software that contains a stable version, then the upstream version should be blacklisted in Hyperbola. There are examples such as: 
-    * a) The long-term support (LTS) of Linux-libre kernel instead of the upstream one. 
-    * b) The extended support release (ESR) of libre version of Iceweasel instead of the upstream one. 
-    * c) The stable version of Nginx instead of the mainline one. 
-    * d) The still version of LibreOffice instead of the fresh one. 
-    * e) The stable version of GnuPG instead of the modern one. 
-  - **Debian patches**: All packages in Hyperbola contain Debian security/stability patches to follow the Social Contract and quilt to automate the patching. The [[https://git.hyperbola.info:50100/packages/core.git/plain/mdadm/PKGBUILD|mdadm's PKGBUILD]] is used as example for all Hyperbola packages. Exceptions are considered if: 
-    * a) Debian does not maintain the required package (eg. OpenRC). In this case, we should use the Devuan or Gentoo patches. 
-    * b) There are no patches available for the required package. 
-  - **HTTPS and tarballs**: All packages in Hyperbola need to be built from the source not from a version control system (VCS). Therefore, all packages should be fixed using the required tarball from its HTTPS site. Exceptions are considered if: 
-    * a) There is not an HTTPS site. In this case, HTTP is the alternative option. 
-    * b) There is not an HTTP site. In this case, FTP is the alternative option. 
-    * c) There is no an official tarball. In this case, tarballs from the official Debian repositories is the alternative option. 
-    * d) There is an official tarball, however it requires download git submodules to be built from the source. In this case, tarballs from the official Debian repositories is the alternative option. 
-    * e) There are no available tarballs. In this case, it should be used in a specific tag or branch from a version control system (VCS) until a final version is available. 
-    * f) There is not support for GNU/Linux in tarballs, tags or branches. In this case, a master branch from a version control system (VCS) could be used temporarily until a final version with GNU/Linux support is available. 
- 
-<note important>If a package has been built from a version control system (VCS) instead of source due to the reasons given above, it should be repackaged with the appropriate version control system (VCS) suffix (eg. **-bzr** for Bazaar, **-git** for Git, **-hg** for Mercurial and **-svn** for Subversion) to differ from all packages built from the source.</note> 
- 
-  - **SHA512 or WHIRLPOOL**: All packages in Hyperbola should use SHA512 or WHIRLPOOL cryptographic hash functions only. Other cryptographic hash functions such as MD5 and SHA1 should not be used because they are severely compromised. Exceptions are considered if: 
-    * a) The package is using a version control system (VCS) because it does not contain GNU/Linux support or/and tarballs. 
-  - **GPG**: All packages in Hyperbola should use signature verification. Exceptions are considered if: 
-    * a) Tarballs do not contain signatures. 
-  - **Package release**: All packages contains a release number specific in the pkgrel for package maintainers to make updates to the package’s configure flags inside PKGBUILD. This is typically set to 1 for each new stable upstream software release and incremented for intermediate PKGBUILD updates, however if a package comes from Arch or AUR with modifications made for Hyperbola, then it should set to "$archreleasenumber.hyperbola$releasenumber" (eg. pkgrel=1.hyperbola1). Exceptions are considered if: 
-    * a) Hyperbola packages were not modified from official Arch or AUR packages. 
-    * b) Hyperbola packages built from a libre replacement project (eg. Linux-libre kernel) or another libre project not included in Arch or AUR. 
-  - **Anti-obfuscation**: obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. All obfuscated code will be rejected in Hyperbola without exceptions.