Upgrading freeradius from source

John Dennis jdennis at redhat.com
Thu May 14 04:29:23 CEST 2009


Ming-Ching Tiew wrote:
> 
> 
> --- On Wed, 5/13/09, John Dennis <jdennis at redhat.com> wrote:
> 
>> BTW, the 2.1.4/2.1.5 snafu is why
>> the most recent
>> RPM is 2.1.3.
>> -- 
> 
> Software will always have flaws, defects, bugs or whatever
> we call it. The way I understand the rpmbuild process,
> it is not difficult to add a little patch which fixes
> the problem.

Of course it's easy to add a patch, but that's not the issue. There were
2 different versions of 2.1.4 tar file over a period of time. The second
version of 2.1.4 identified itself internally as it built as 2.1.5 even
though it's name was 2.1.4. RPM's are supposed to be built from pristine
upstream sources and *must* be reproducible from upstream. So let's say
you have a tar file whose name is freeradius-server-2.1.4.tar.bz which
is being used to build an RPM, how do you know if that tar file was the
original 2.1.4 or the subsequent 2.1.5 release which superseded it? It's
ambiguous what the RPM version would be because it depends on the time
window the freeradius-server-2.1.4.tar.bz was downloaded. The ambiguity
with regards to what the actual version the RPM might produce is not
acceptable. It's critical from a release perspective the version
information be correct. The entire RPM build process depends on the
assumption the tar file version matches the tar file contents which
matches the RPM spec file version. It may be acceptable to you to
privately build such an RPM but distributions cannot take that same risk.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



More information about the Freeradius-Users mailing list