On Pá, 2015-10-02 at 13:18 +0200, Vít Ondruch wrote: > Dne 30.9.2015 v 16:52 Ralf Corsepius napsal(a): > > > > Like I've said many times before, I feel Fedora needs a serious > > vulnerability in a widespread bundled or static library, such that > > people finally comprehend the harm of bundling. > > This harms Fedora but not the upstream project which bundles. If there > is discovered security issue in the bundled library, they fix it and > release new version, they are in users view the good guys who cares > about security. If we fix the same issue in unbundled library, it is > invisible for users and at the end they demand updated version of the > upstream project, since they believe that the issues is not fixed in > Fedora yet. > > I am afraid that no matter how much education you'd like to apply to > this issue, you will never reduce it, since honestly, most of the > development is done on different platforms then Linux, where bundlind of > various kinds is a norm. > > And TBH, as much as I hate this reduction of anti-budnling requirements, > I also hate to hear from upstream that they don't wish their SW to be > included in Fedora, since we break it due to unbundling policies. This seems like a strong argument for the current case where the bundling exception is provided by FPC. The question is only whether it needs to be FPC or some another body. The bundling should be approved only for projects where upstream is fully active and cares about the security vulnerabilities in the bundled copies of software well. I am not sure that this should be evaluated just by the single person who reviews the package for acceptance in Fedora so I do not like the current proposal. On the other hand the evaluation should be quick and the current rules seem to me to be slightly too strict. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct