Stephen Gallagher wrote: >* The package *MAY* contain bundled libraries or other projects, but if >it does so, it *MUST* contain a "Provides: bundled(pkg) = version" for >each such bundling. This is done so that we can use the meta-data to >identify which packages may be vulnerable in the event of a security >issue. Before (and if) this becomes policy, it must be defined exactly what "pkg" shall be. In some cases it's obvious. In other cases a name exists in multiple variants. If we end up with one package bundling "gpg", another "gnupg" and a third "gpg2", then the policy hasn't fulfilled its purpose of making it easy to find all packages that bundle a particular piece of software. Shall it be the name of the RPM package in Fedora? Or the source RPM package? But what if there isn't a Fedora package of the bundled software? Shall it be the name of the upstream source tarball? Some projects don't even release tarballs. The soname? That works only for compiled libraries. The project name on Sourceforge/Github/Savannah/...? The domain name of its website? But one project can distribute multiple packages, and some projects use multiple websites and nothing enforces that the name is the same everywhere. Could the name of the root directory of its source code tree be used? Some source packages (especially those that are packaged in zip files instead of tarballs) contain multiple files and directories without a common root directory. -- Björn Persson
Attachment:
pgpyhjeBOaFL4.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
