On Fri, Oct 09, 2015 at 12:58:05AM +0200, Kevin Kofler wrote: > Only if you call patches to the build system (with little to no changes to > the actual code) a "fork". There might be some wording change to "upstreams allow" in the new policy to include this as should-be-unbundled cases — although I'm not sure it's valuable in the cases where the bundled libraries aren't already packaged. > Huh? 3 simple steps to unbundling (>90% success rate, especially with the > growing number of stupid upstreams that bundle not out of necessity, but > because they simply don't believe in unbundling): Possibly easy upfront, but then, what if there's an API mismatch between either an update of this package and the system lib such that the unbundled combination no longer works? Then, something that was easy for the packager suddenly becomes a programming problem. > Do you have any concrete examples where unbundling libraries caused security > issues? To me, this looks like a very abstract threat, and in no way > comparable to the major security risk posed by outdated bundled libraries. Curl, compiled against a version of ssl different from what the code expects. > What kind of automated tooling? The only kind of tooling I can think of is > tooling to automatically upgrade bundled libraries, but then you end up > causing exactly the same "new, unique bugs" as when just using the system > library (or conversely, if it works just fine, just using the system library > would work just as fine!), without the other advantages of unbundling (disk > space, RAM and update download bandwidth savings). Find all the bundled libraries in all of Fedora, even with minor variations in code and version. When there's a vulnerability, automatically generate patches, bump the RPMs, rebuild test builds, run them through automated testing (including a new test for whatever just-revealed CVE), and ping the maintainers. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
