On Wednesday, 30 September 2015 at 14:35, Stephen Gallagher wrote:
> Just to circle around here (in case people don't read my reply to the
> FESCo meeting agenda), I'm making the following revised proposal[1] to
> FESCo which may or may not be discussed at today's meeting (given that
> it was submitted late):
>
>
> === Mandatory ===
> * The Fedora Base Working Group has been tasked with defining the base
> platform of Fedora since its inception. As part of this proposal, we
> set a deadline for them to provide (and maintain) a specific list of
> critical path packages. The critical path set is ''not'' required to be
> self-hosting.
> * Working Groups for the separate Editions '''may''' voluntarily add
> packages into the critical path atop the Base WG requirements.
> * All packages in the critical path '''must''' obey the current strict
> bundling rules.
> * All packages not in the critical path whose upstreams allow them to
> be build against system libraries '''must''' be built against system
> libraries.
> * All packages not in the critical path whose upstreams have no
> mechanism to build against system libraries '''must''' be contacted
> publicly about a path to supporting system libraries. If upstream
> refuses, this must be recorded in a link included in the spec file.
> * All packages not in the critical path whose upstreams have no
> mechanism to build against system libraries '''may''' opt to carry
> bundled libraries, but if they do, they '''must''' include {{{Provides:
> bundled(<libname>) = <version>}}} in their RPM spec file.
I strongly object to this last point. If we simply allow free bundling
provided that it's recorded then we're opening a can of worms each
having a different CVE written on their backs. A recently discovered
bundling of lua[2] (with an actual open CVE) in luatex (and probably
in many more packages) is a good example of why this is a bad idea.
The current FPC bundling exception process should be preserved,
otherwise we're effectively removing all motivation to work with
upstreams on unbundling.
> === Strongly Recommended ===
> * Packages in the critical path should be re-reviewed every two years
> (possibly as a Flock workshop) to avoid unintentional divergence from
> the policies.
+1
> [1] https://fedorahosted.org/fesco/ticket/1483
[2] https://fedorahosted.org/fpc/ticket/569
Regards,
Dominik
--
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
