Adam Miller wrote:
> In today's FESCo meeting we discussed the fact that there are many
> RPMs currently in Fedora (a reported 244 in Rawhide currently) that
> are defining a `Provides: bundled(<lib>) = <version>` but excluding
> the version completely[0][1]. This removes that ability to properly
> perform source code auditing and security vulnerability tracking.
>
> My question to the Fedora Contributor Community is, how should we
> handle this? Is this something that should just simply be fixed by the
> packages currently violating the Guidelines, should the Guidelines be
> altered in a way that makes this easier to deal with for Packagers but
> also provides what is needed for auditing and vulnerability tracking,
> or is there simply clarification needed by what is required in the
> <version> field?
A version number may not even exist at all. Not all code that people copy is
a library with a version number. Copylibs often don't bother doing releases
because everyone just embeds it as a git submodule or checks out some random
revision to copy into their own SCM. Hence, it is not realistic to require a
version number.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
