Re: [Fedora-packaging] Bundled Provides Libraries and Versioning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>>>> "AM" == Adam Miller <maxamillion@xxxxxxxxxxxxxxxxx> writes:

[...]
AM> RPMs currently in Fedora (a reported 244 in Rawhide currently) that
AM> are defining a `Provides: bundled(<lib>) = <version>` but excluding
AM> the version completely[0][1]. This removes that ability to properly
AM> perform source code auditing and security vulnerability tracking.

I would argue that it doesn't remove the ability, but that it does make
it more difficult to do in an automated fashion.  Basically you can see
that something has a bundled library but then you need to do manual
inspection to go further.

AM> My question to the Fedora Contributor Community is, how should we
AM> handle this?

Identify and mail lists of the problematic packages to devel (using
find-package-maintainers from
https://pagure.io/fedora-misc-package-utilities if possible).  Figure
out if there are any cases which aren't easy to fix for some reason.

If there are any, then see if a change is needed to accommodate.

If I had to hazard a guess, I would say that there are at least some
cases where it's not really obvious what version to use.  This would
make sense in the case of a fork that's undergone significant rewriting.
Though I wonder if any bundled(X) tag is even warranted in that case.

Alternatively, say that you don't have to specify a version, but if you
don't then you will get every related security bug filed against your
package instead of having those filtered by version.

 - J<
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux