On Thu, Oct 01, 2015 at 10:01:29PM +0200, Dominik 'Rathann' Mierzejewski wrote:
> > * All packages not in the critical path whose upstreams have no
> > mechanism to build against system libraries '''may''' opt to carry
> > bundled libraries, but if they do, they '''must''' include {{{Provides:
> > bundled(<libname>) = <version>}}} in their RPM spec file.
> I strongly object to this last point. If we simply allow free bundling
> provided that it's recorded then we're opening a can of worms each
Just to be clear -- this last point is basically the entire proposal.
It's okay to object to it, of course, but I don't think you can
meaningfully object to just this bit alone.
> having a different CVE written on their backs. A recently discovered
> bundling of lua[2] (with an actual open CVE) in luatex (and probably
> in many more packages) is a good example of why this is a bad idea.
I take that a different way. Exactly the opposite way, in fact. First,
it shows that the the current policy isn't working — it doesn't keep
bundling out. Second, it demonstrates a case where it'd be better if
the bundling had been documented, because it would have shown up in a
query when the security team was working on that vulnerability.
--
Matthew Miller
<mattdm@xxxxxxxxxxxxxxxxx>
Fedora Project Leader
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
