On Fri, Oct 09, 2015 at 11:00:30AM -0400, Stephen Gallagher wrote: > > +1 And I was serious about it, rather sticking to guidelines as if > > they were dogma, I prefer positive actions to fight poor > > practices. > I'm thoroughly behind this. I think an unbundling SIG is a far better > solution to the bundling problem than the high barrier-to-entry and > poor-enforcement solution that we had previously. > Having a group of motivated and knowledgeable individuals focused on > removing unnecessary bundling would be far more likely to result in > secure *and* usable software. I'd be more than happy to participate in > such a SIG as time allows. One of Kevin's concerns — I think I can state fairly! — is that the previous policy had basically the strongest teeth we have for anything in Fedora. If you don't debundle, you can't participate. I think we should generally trust the package maintainers to make the right call on whether debundling would be _actively problematic_ for their package. But, going back to my triangle illustration: A. For packagers with inclination and availability, but short on expertise, the Unbundling SIG will be clearly valuable. The SIG could offer patches both initially and when needed on an ongoing basis. (Possibly the policy would be for someone from the SIG to become a comaintainer, or possibly even use provenpackager privs for this purpose with coordination with the package's primary contact.) B. For packagers with inclination and expertise, but no *time*, pretty much the same deal. C. Now, when we get to availablity and expertise but no inclination.... well, let me break that down further. When the packager has reasoned belief that debundling is actively bad in some way for this package, I think we should trust the packager. I know not everyone on this thread agrees, but in general, Fedora *always* places a high level of trust in our packagers to make the right call in all sorts of situations. Here, perhaps some of the current (former?) pages on the rationale for unbundling could be moved into the Unbundling SIG's space and used as guidance. But, in the case where the packager just doesn't see it as important, maybe the Unbundling SIG could have a stronger mandate, possibly overseen by the FPC, to also sign up for comaintainership and make the necessary packaging changes. In cases where the bundled libraries already exist in Fedora, this might be as simple as changing the "packages whose upstreams allow them to be built against system libraries must be built against system libraries" to "packages which can be correctly built against libraries already packaged separately in Fedora must use those libraries, or get an exception from the FPC". If the bundled libraries *don't* already exist separately in Fedora, the previous policy required the would-be packager to do what is often a huge amount of work to separate them, and in many cases, that was for very, very little actual gain, as these then just became new leaves with only one consumer. I'm not very excited about policies which demand that other people do work — not necessarily as a matter of libertarian principles, but just as practicality. Obviously we're not Debian, but I think this part from their Getting Started guide applies to volunteer software projects in general: * We all are volunteers. * You cannot impose on others what to do. * You should be motivated to do things by yourself. <https://www.debian.org/doc/manuals/maint-guide/start.en.html#socialdynamics> and in that light, I think if there's something which isn't previously available but *could* be, and which the Unbundling SIG indentifies as important, the Unbundling SIG could work to make those libs available independently, turning this into the previous case. I'd also like to see something like: When adding a package which carries a bundled library, the name chosen in "Provides: bundled(<libname>)" should match the naming guidelines as if that package were provided separately. When in doubt, check with the FPC. When adding this line, please run [whatever command] to find existing packages which provide that library, and consider contacting the maintainers of those packages and the Unbundling SIG to work on an effort to make this into a separate, shared package. See [Why Bundled Libraries Are Bad] for details on how this benefits Fedora maintainers and users. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
