On Tue, Jan 21, 2025 at 4:58 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > * Gerd Hoffmann: > > >> We would also need to consider what our committement is to security > >> updates when apps are bundling stuff, as the same reasons that make > >> unbundling huard, also make fixing security issues hard. > > > > Note that in the go/rust world the unbundling does *not* make security > > updates much easier. Due to the static linkling it is not enough to > > update the buggy package. You have to rebuild packages depending on > > the updated package too. > > But rebuilds can be automated. Generating patches for vendored > dependencies may be possible to some extent (but of course the vendored > package variants could have diverging versions). And then you have to > integrate the patch somehow so that it is applied during %prep. This > can be tricky to automate due to the varying preferences of package > maintainers. > Rebuilds can be automated, but they won't as it is right now. Existing Fedora packaging infrastructure and rules prevent us from doing this. There are minor changes that need to be made to our packaging macros and policies to allow automated rebuilds, but fundamentally nothing in use in Fedora now or being developed in the future (including Konflux) is designed to help do this in a way that is useful for Fedora packagers. We know it's possible because this is how openSUSE works today. They never schedule mass builds because they always happen automatically with the right conditions, so it's a non-event. This is the direction we should be going, but because people keep conflating software CI/CD with distribution CI/CD, we don't get the tools we need for it in Fedora. Software CD systems simply can't do this because they're not designed to handle this problem. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
