On 11/06/2013 08:52 PM, Adam Jackson wrote:
Again: don't stop the solution short based on what the current code happens to implement. If we're building the bundles - and there's reasons we would want to - then we know the patches we need to apply.
Despite significant efforts, we still have some trouble doing precisely that in the current environment. Ensuring that critical changes are applied to all relevant branches pretty much relies on individual developer effort and attention.
From a birds-eye view, we perform bundling at the distribution level. Carrying patches back and forth is not easy. We've been dealing with this for a decade or more, yet supporting technology is still scarce. This has little to do with RPM and its limitations because it's about making sure that dist-git (both Fedora and further downstream) have the required or best possible versions of the code base. At this stage, the lack of multiple RPM database, multiple versions of the same package, etc. does not come into play. There are some constraints due to the processes involved, but everyone is free to use the data that is just out there and start their own side project to tackle this problem. Yet this hasn't happened. There have been some research efforts, but nothing came out of that which actually had a chance of integration. (Other distributions face the same challenge.)
That's why I'm fairly convinced that the delivery mechanism isn't holding back a solution. It's just a very difficult problem, no matter how you eventually ship your bits.
-- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
