Re: Proposal to reduce anti-bundling requirements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/02/2015 01:46 PM, Tomas Mraz wrote:

On Pá, 2015-10-02 at 13:18 +0200, Vít Ondruch wrote:

Dne 30.9.2015 v 16:52 Ralf Corsepius napsal(a):


Like I've said many times before, I feel Fedora needs a serious
vulnerability in a widespread bundled or static library, such that
people finally comprehend the harm of bundling.


This harms Fedora but not the upstream project which bundles. If there
is discovered security issue in the bundled library, they fix it and
release new version, they are in users view the good guys who cares
about security. If we fix the same issue in unbundled library, it is
invisible for users and at the end they demand updated version of the
upstream project, since they believe that the issues is not fixed in
Fedora yet.

I am afraid that no matter how much education you'd like to apply to
this issue, you will never reduce it, since honestly, most of the
development is done on different platforms then Linux, where bundlind of
various kinds is a norm.

And TBH, as much as I hate this reduction of anti-budnling requirements,
I also hate to hear from upstream that they don't wish their SW to be
included in Fedora, since we break it due to unbundling policies.


This seems like a strong argument for the current case where the
bundling exception is provided by FPC. The question is only whether it
needs to be FPC or some another body. The bundling should be approved
only for projects where upstream is fully active and cares about the
security vulnerabilities in the bundled copies of software well.
Correct. That's one of the criteria, FPC is trying to consider when granting bundling exceptions. Openly said, these are the easy cases, we often grant bundling exceptions.
The problematic ones are those cases, when it's obvious upstream lacks experience and/or technical skills to understand "unbundling" /"bundling" and resources to take care about "upstreams of their bundled sources. These often are smaller projects - in many cases - one-man shows. 

Ralf

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux