On 2017-07-07, Adam Miller <maxamillion@xxxxxxxxxxxxxxxxx> wrote: > `Provides: bundled(<lib>) = <version>` but excluding > the version completely[0][1]. This removes that ability to properly > perform source code auditing and security vulnerability tracking. > > My question to the Fedora Contributor Community is, how should we > handle this? It's wrong assumption that a version of the bundled code is known. Either the bundled upstream has no versions, or the bundled code is heavily modified (hence the reason for not unbundling and the need for Provides: bundled()), or there the bundled code has no upstream (anymore). I usually try to track the version when the code was bundled from, but sometimes it's impossible to figure out. Thus I recommend relaxing the guidelines. It's still better to have an unversioned bundled() RPM symbol than nothing. -- Petr _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
