HyperWiki

This is an old revision of the document!

… (WIP)

Diretrizes de Empacotamento

As Diretrizes de Empacotamento do projeto Hyperbola e o compromisso que nós, Hyperbola, fizemos com à comunidade de software livre em geral e aos nossos usuários em particular. É por isso que as nossas diretrizes de empacotamento seguirão sempre a filosofia de liberdade, privacidade, estabilidade e segurança.

  1. Liberdade: Todos os pacotes distribuidos pela Hyperbola seguem as Diretrizes para Distribuições de Sistemas Livres. Portanto, não incluimos ou recomendamos software ou documentação não-livre e não fornecemos nenhum tipo de suporte para a instalação ou execução de software não-livre. Isso inclui:
  1. Privacidade: O projeto Hyperbola tem como objetivo apoiar a privacidade de sua comunidade. Isso inclui:
  • a) Software empacotado com correções para garantir a segurança e impedir a vigilância global de dados revelada nos documentos da NSA de Snowden
  • b) Pacotes com correções adicionais que removem protocolos de nível inferior que podem causar vazamentos de privacidade, metadados/impressões digitais e vulnerabilidades.
  1. FHS: Todos os pacotes seguem o Filesystem Hierarchy Standard (FHS) que definem os principas diretorios e ficheiros em GNU/Linux ou qualquer outro sistema operativo Unix como por exemplo GNU/Hurd. Portanto, todos os pacotes deveriao ser fixados utilizando este estandarte, sem qualquer exepcoes.

…(WIP)

  1. Projetos de software Livre: If there is software that contain a stable version, then the upstream version should be blacklisted. There are examples such as:
    • a) The long-term support (LTS) of Linux-libre kernel instead of the upstream one.
    • b) The extended support release (ESR) of libre version of Iceweasel instead of the upstream one.
    • c) The stable version of Nginx instead of the mainline one.
    • d) The still version of LibreOffice instead of the fresh one.
    • e) The stable version of GnuPG instead of the modern one.

a Hyperbola é uma distribuição de Suporte a Longo Prazo, Long Term Support (LTS) em inglês

4

  1. Anti-abandonware: Hyperbola considers orphaned projects without bugfixes and patches activity as security issue and should be blacklisted. Exceptions are considered:
    • a) If a package is needed for a functionality and there is no a current replacement for it.
    • b) If a package is an important dependency for active projects and there is no a current replacement for it.
    • c) If a package is a driver, firmware or hardware emulation and there is no a current replacement for it.

5

  1. Snapshot versions: Since Hyperbola is a long-term support (LTS) distribution; all packages are based on Arch snapshots from the above-mentioned date announced in the Hyperbola mailing lists or main page, and designed to be supported for a longer than normal period until the next stable release. Exceptions are considered:
    • a) If a package version in the snapshot is 1.1.0, and there is a bugfix in 1.1.1, it could be upgraded because it is a revision, not a strong upgrade or a drastic version change.
    • b) If a package version in the snapshot is 1.1.0.a, and there is a bugfix in 1.1.0.b, it could be upgraded because it is a revision, not a strong upgrade or a drastic version change.
    • c) If a package version in the snapshot is 1.1.0-beta, and there is a final version in 1.1.0, it could be upgraded.
    • d) If a package version in the snapshot is 1.1.0-beta without plans for a final version, and there is a 2.0.0-rc, it could be upgraded as exception.
    • e) If a package version in the snapshot is 1.1.0 and depends on abandonware project (eg. OpenRC 0.25.x depends on SysVinit), and there is a 1.2.0 with a replacement, it could be upgraded as bugfix version. (eg. SysVinit is replaced with openrc-init in OpenRC 0.28.x).
    • f) If a package version in the snapshot is a long-term support (LTS) project, all minor versions of a release series are accepted as exception such as ESR 52 series in the libre version of Iceweasel (eg. 52.x.x).
    • g) If a package version needs taking security parts from a newer version, but it is inefficient to be backported, a newer version could be considered as exception (see Backporting amendment for further details).

6

  1. Package release: All packages contain a release number specific in the pkgrel for package maintainers to make updates to the package's configure flags inside PKGBUILD. This is typically set to 1 for each new stable upstream software release and incremented for intermediate PKGBUILD updates, however if a package comes from Arch or AUR with modifications made for Hyperbola, then it should set to “$archreleasenumber.hyperbola$hyperbolareleasenumber” (eg. pkgrel=1.hyperbola1). Exceptions are considered:
    • a) If a package was not modified from official Arch or AUR package(s).
    • b) If a package was built from a libre replacement project (eg. Linux-libre kernel) or another libre project not included in Arch or AUR.

7

  1. Backporting: Hyperbola uses the term backporting to describe a package built from a newer version, adjusted and adapted for usage on the current stable release. It requires be repackaged with the appropriate package release “backports$backportsreleasenumber” for official Arch, AUR or Hyperbola packages (eg. pkgrel=1.backports1) and Arch or AUR packages modified by Hyperbola (eg. pkgrel=1.hyperbola1.backports1) until the next stable release. Backporting is accepted in Hyperbola as exception, but under the following conditions:
    • a) If the current package used on the current stable release needs many modifications spread across multiple files of the code to solve some specific issue (eg. security issue) and it is inefficient to be fixed.
    • b) All newer version packages and its required newer version library and dependency packages should be repackaged with the appropriate package release too, since it will be rebuilt in a stable environment so that it will run without new libraries. This suffix is applied until the next stable release.
    • c) All newer version packages should follow the snapshot version rules from Hyperbola Packaging Guidelines using its release date as a snapshot version, it means Hyperbola will not accept recurrent drastic version changes as long as fixing is possible.

8

  1. Package licenses: All packages contain a license field that specifies the license(s) source that apply to the package using the commonly used licenses in /usr/share/licenses/common. It means, if a source is under a license which is available in /usr/share/licenses/common (eg. GPL-2), simply it should be referenced in the package license field (eg. license=('GPL-2')). If it is not the case, then it should be included in the package itself and set license=('custom:LicenseName'). The license file should be placed in /usr/share/licenses/$pkgname when building the package. If multiple licenses are applicable, the conditions are:
    • a) If an upstream source provides the preference to choose a license, add only that license in the package license field. The chosen license must be compatible with the linked library dependencies used by the package. (eg. if the chosen license for ffmpeg is the version 3 of LGPL, then the configure parameter `–enable-version3` must be added in ffmpeg's PKGBUILD to activate this licensing option and use the LGPL-3 compatible libraries).
    • b) If an upstream source contains files with many different licenses, add only the primary ones in the package license field.
    • c) All chosen primary and compatible license files from the upstream source should be placed in /usr/share/licenses/$pkgname.

9

  1. Debian patches: All packages contain Debian security/stability patches to follow the Social Contract and the program quilt to automate the patching. The mdadm's PKGBUILD is used as example for all packages. Exceptions are considered:
    • a) If Debian does not maintain the required package. In this case, we should use the Devuan or Gentoo patches.
    • b) If there are no patches available for the required package.
    • c) For Linux-libre kernels.

10

  1. HTTPS and tarballs: All packages need to be built from the source through its official tarball not from a version control system (VCS). Therefore, all packages should be fixed using the required tarball from its HTTPS site. Exceptions are considered:
    • a) If there is not an HTTPS site. In this case, HTTP is the alternative option.
    • b) If there is not an HTTP site. In this case, FTP is the alternative option.
    • c) If there is no an official tarball. In this case, tarballs from the official Debian repositories is the alternative option.
    • d) If there is an official tarball, however tarballs from the official Debian repositories contain bugfixes. In this case, the official tarballs from Debian should be used by default. (eg. Mutt+NeoMutt bugfixes)
    • e) If there is an official tarball, however it requires download git submodules to be built from the source. In this case, tarballs from the official Debian repositories is the alternative option.
    • f) If there are no available tarballs. In this case, it should be used in a specific tag or branch from a version control system (VCS) and repackaged with the appropriate suffix (eg. -bzr for Bazaar, -git for Git, -hg for Mercurial and -svn for Subversion) until a final version is available.
    • g) If there is not support for GNU/Linux in tarballs, tags or branches. In this case, a master branch from a version control system (VCS) could be used temporarily and repackaged with the appropriate suffix (eg. -bzr for Bazaar, -git for Git, -hg for Mercurial and -svn for Subversion) until a final version with GNU/Linux support is available.
  2. SHA-512: All packages should use SHA-512 cryptographic hash functions only. Other cryptographic hash functions such as MD5 and SHA-1 should not be used because they are severely compromised. Exceptions are considered:
    • a) If the package is using a version control system (VCS) because it does not contain GNU/Linux support or/and tarballs.

…(WIP)

  1. GPG: Todos os pacotes na Hyperbola devem usar a verificação de assinatura. As exceções são consideradas se:
  • a) Tarballs não contenham tais assinaturas.
  1. Anti-ofuscação: A ofuscação é o ato deliberado de criar código ofuscado, ou seja, código fonte que é difícil para os seres humanos entenderem. Todo código ofuscado será rejeitado na Hyperbola sem exceções.