On Fri, Jul 7, 2017 at 10:55 AM, Adam Miller <maxamillion@xxxxxxxxxxxxxxxxx> wrote: > Hello all, > In today's FESCo meeting we discussed the fact that there are many > RPMs currently in Fedora (a reported 244 in Rawhide currently) that > are defining a `Provides: bundled(<lib>) = <version>` but excluding > the version completely[0][1]. This removes that ability to properly > perform source code auditing and security vulnerability tracking. > > My question to the Fedora Contributor Community is, how should we > handle this? Is this something that should just simply be fixed by the > packages currently violating the Guidelines, should the Guidelines be > altered in a way that makes this easier to deal with for Packagers but > also provides what is needed for auditing and vulnerability tracking, > or is there simply clarification needed by what is required in the > <version> field? How many of those are bundled(jquery)? A couple of years ago, those of us with packages that generate documentation via doxygen were asked to add that to our spec files. (I no longer remember who asked us, sorry.) The reasoning was that someday, somebody would want to do something about fixing doxygen to point to a system version of jquery, and adding those Provides would make the process of finding the affected packages easier. I haven't heard anything more since then, so I don't know if anybody is even working on the issue. -- Jerry James http://www.jamezone.org/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
