On Mon, 2014-01-13 at 08:39 -0500, Matthew Miller wrote: > On Sun, Jan 12, 2014 at 04:39:12PM -0800, Adam Williamson wrote: > > You're preaching to the choir. But if in practice people really don't > > deploy things via the distribution packages, it doesn't matter how > > awesomely secure the distribution packages are. Something that you're > > not using is never providing you with any additional security. > > So for me, the question is: how can we make these things at least meet in > the middle? Can we bring some of the distro benefits to the application > deployment area? One thing I would really like is improved tooling for mapping from upstream sources to RPMs that works *over time*. Right now tools like "cpanspec" exist, and you can use them one time, but Fedora currently rather insists that the spec file that lives in pkg git is canonical - it doesn't really work to attempt to rerun "cpanspec". Many upstream build/deployment systems have substantial portions of the metadata (BuildRequires/Requires) that RPM needs, it just needs to be manually maintained/duplicated in the spec. (One concrete thing to make this work is that RPM needs the ability to look at the *unpacked* upstream sources before processing BuildRequires) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
