On Fri, May 3, 2019 at 1:45 PM Nicolas Mailhot via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Le vendredi 03 mai 2019 à 12:04 +0100, Tomasz Kłoczko a écrit :
> > On Fri, 3 May 2019 at 11:04, Nicolas Mailhot via devel
> > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > [..]
> > > You're assuming the only use is roolback. It's not
> >
> > Point taken. Can you shortly describe other use cases?
>
> You use apps in one of those languages that static build by default.
> There is a security alert in one code component. You want to know which
> packages in your repo/mirror have been build using the broken piece of
> source code
Last time we disagreed on this topic my opinion was that static
linking should imply bundled provides:
Provides: bundled(<as usual>) = <crate or module version>
Hopefully something that could be automated for some stacks. To me
there is no difference between bundling source code and bundling arch
code, since most of the time I have seen it in action it was more a
feat of vendoring for internal usage rather than actually providing a
duplicate something to be consumed by others. And it would solve the
post-CVE system inspection problem.
Dridi
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
