On Sun, Jan 12, 2014 at 10:39:19AM -0800, Adam Williamson wrote: > On Sun, 2014-01-12 at 18:55 +0100, Kevin Kofler wrote: > > So, like Matthew Miller, I think we cannot possibly punt on this issue, but > > I totally DISAGREE with his proposed solution of endorsing those bundling > > systems officially. Instead, we need to continue packaging things properly. > > Have you looked at what people are installing on Fedora lately? Have you > looked at how much PHP stuff there is out there vs. what we have > packaged 'properly'? Java? Ruby? Do you know anyone who deploys > Wordpress plugins via distribution packages? Even if people do it, it does not meant that it is the best way to do it. Mixed packaging makes it a lot harder to properly update in case of security vulnerabilities. E.g. instead of only checking/ensuring proper RPM updates one need to check each distribution method for regular updates. Is there even some tooling available to check/update all e.g. rbenv or virtualenv setups properly? Also it appears to me that non-Fedora packaged software is typically less secure. For example, I heard that the upstream nginx packages are not protected by ASLR but the Fedora packages are. Additionally I doubt that upstream usually considers selinux issues. I guess a lot of people probably install wordpress with chmod 777 and within a webserver's document root. Does it meant this is the superior way? However, if multiple software requires different versions, then this should be made possible e.g. within RPM or a different central packaging tool to provide proper version tracking, central updates and uniform build flags. Regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
