On Tue, 29 Dec 2009 10:52:54 +0000, Daniel wrote: > Hi, > > OLPC's security system uses libtomcrypt / tomsfastmath, both at the > Linux level and the firmware level. > > OLPC has previously had a specific version of tomcrypt/tommath > profesionally audited for security reasons. So we obviously want to > stick with that version. > > A few packages we have in Fedora currently use this frozen, audited > version - we do so by shipping duplicate copies of that source code > within the individual packages, rather than linking against the dynamic > systemwide equivalents. > > As we're now looking at making another package which uses yet another > duplicate copy of this code base I'm wondering if we can do it better. > > Could I add a package, named olpc-bios-crypto-devel (a subpackage of the > to-be-packaged olpc-bios-crypto), which installs the .a files for the > audited libraries somewhere on the system? > > Then the individual components that rely on this library (e.g. bitfrost, > olpc-contents, olpc-bios-crypto) would have a BuildRequires dependency > on olpc-bios-crypto-devel and build against the 'systemwide' static .a > library files. > > Or am I going too far against common packaging practice at this point? > Any alternative suggestions? There is https://fedoraproject.org/wiki/Packaging:Guidelines#Packaging_Static_Libraries and https://fedoraproject.org/wiki/Packaging:Guidelines#Staticly_Linking_Executables already. These guidelines explain how to name static library packages and how to build-require them. You didn't comment on those guidelines at all. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
