On Tue, Jan 21, 2025 at 11:08 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > * Gerd Hoffmann: > > >> We would also need to consider what our committement is to security > >> updates when apps are bundling stuff, as the same reasons that make > >> unbundling huard, also make fixing security issues hard. > > > > Note that in the go/rust world the unbundling does *not* make security > > updates much easier. Due to the static linkling it is not enough to > > update the buggy package. You have to rebuild packages depending on > > the updated package too. > > But rebuilds can be automated. Generating patches for vendored > dependencies may be possible to some extent (but of course the vendored > package variants could have diverging versions). And then you have to > integrate the patch somehow so that it is applied during %prep. This > can be tricky to automate due to the varying preferences of package > maintainers. Yes, that's exactly the point I wanted to make. Workflow with non-vendored dependencies: - update library or backport fix - submit rebuilds of dependent applications (with rpmautospec, those are no-change commits) Workflow with vendored dependencies: - check out application and vendored sources - patch vendored sources - repeat checkout / patching for *every affected application* Yes, Neal, making changes so that no-change rebuilds don't require git commits would make workflow 1 even more streamlined. Waiting for your proposal on how to achieve this ;) Fabio -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
