With regard to the recent protobuf package issue and the eclipse module, I started wondering how bugs work with packages bundled in modules. That is, packages that exist outside modules (e.g., protobuf) that end up bundled with some module. NOTE: It is very easy for module posts to quickly balloon out in to all sorts of topics and stories. I would prefer that we keep this thread related to the Subject above. Thanks. The following are policy questions I came up with after the protobuf issue happened: 1) Are modules allowed to bundle packages that are provided by and currently maintained in the base system? Are there are restrictions to what a module can bundle (e.g., can a module bundle glibc)? 2) Using protobuf as an example, if a bug is found by a user and they happen to deduce that the error is in protobuf, how do they file a bug? Do they file the bug against protobuf if the bundled one from the module has the issue? What maintainer is on the hook for handling that bug report? My assumption here is that the module maintainer is ultimately responsible for everything they bundle. Another concern I see here is we are opening ourselves up for N+1 different builds of protobuf where N is the number of modules installed on a system and all of them could have protobuf bundled. 3) If a user files a bug against a module and the module maintainer triages that to a bundled package, how is that handled? Who is maintaining the bundled build of that package? Who is responsible for fixing it? 4) How can users determine what packages are installed from a module and how can you see what, if any, module "owns" a package? I have been unable to determine how to do this from dnf. 5) How are CVEs handled for packages that are also bundled with a module? I have read as much as I can find about how things work right now with modules, but that has been mostly the "how" and nothing around policy. Thanks, -- David Cantrell <dcantrell@xxxxxxxxxx> Red Hat, Inc. | Boston, MA | EST5EDT _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
