Le Mer 3 avril 2013 21:00, Richard W.M. Jones a écrit : > So we have, I think, four choices: > > (1) embrace the software, allow it to be shipped (or even ship it > ourselves), and don't care about the security problems > > (2) deal with the combinatorial security explosion of having multiple > parallel versions of badly engineered packages installed, requiring > loads of extra manpower (from where?!) > > (3) spend ages educating the upstream developers on best practices, > and patching and fixing upstream software ourselves > > (4) don't embrace or ship this software, and risk obscurity > > I think #3 or #4 is where we are right now. You've just proved there is no choice to make Your first choice is a no-go, PR disaster in the making (Microsoft is still paying the PR costs of its 90's security shortcuts, two decades later). All the other "choices" are manpower allocation, that Fedora does not restrict in any way. If 2. or 3. are not taken more often it's just that some upstreams make their production prohibitively expensive to ship in manpower, and no one feels ready to volunteer the vast amount of time they would require. Ecosystem packaging usually goes from 4 to 2 to 3, with the courageous people stepping up for 2 getting burnt out and barely managing to do 4 enough for someone else to take up the relay from there. Upstream shortcuts are like heavy metals: the higher you get in the foodchain the highest the poison concentration. In systems-land packagers are at the top of the foodchain. The easier you make for upstreams to introduce poison in the ecosystem, the less packages you will ship in the mid-term because you'll get packager die-out (LibreOffice people have understood this very well at their own scale). And, lastly, you're selling the advantages of packaging short. Linux users are quick to understand the benefits they get from packaged software. That is why we get regular upstream complains distros are 'stealing' their users, or the current castle-in-the-sky wishful thinking by some GNOME OS proponents. They don't like having to abide by strict distro deployment rules, but their users are forcing them to go through this process, or risk obscurity (to use your words). Regards, -- Nicolas Mailhot -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
