On Sun, 2014-01-12 at 20:58 +0100, Till Maas wrote: > On Sun, Jan 12, 2014 at 10:39:19AM -0800, Adam Williamson wrote: > > On Sun, 2014-01-12 at 18:55 +0100, Kevin Kofler wrote: > > > > So, like Matthew Miller, I think we cannot possibly punt on this issue, but > > > I totally DISAGREE with his proposed solution of endorsing those bundling > > > systems officially. Instead, we need to continue packaging things properly. > > > > Have you looked at what people are installing on Fedora lately? Have you > > looked at how much PHP stuff there is out there vs. what we have > > packaged 'properly'? Java? Ruby? Do you know anyone who deploys > > Wordpress plugins via distribution packages? > > Even if people do it, it does not meant that it is the best way to do > it. Mixed packaging makes it a lot harder to properly update in case of > security vulnerabilities. E.g. instead of only checking/ensuring proper > RPM updates one need to check each distribution method for regular > updates. Is there even some tooling available to check/update all e.g. > rbenv or virtualenv setups properly? You're preaching to the choir. But if in practice people really don't deploy things via the distribution packages, it doesn't matter how awesomely secure the distribution packages are. Something that you're not using is never providing you with any additional security. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct