On Tue, Jan 21, 2025 at 4:45 PM Maxwell G <maxwell@xxxxxxx> wrote: > > On 1/21/25 7:09 AM, Fabio Valentini wrote: > >> But rebuilds can be automated. Generating patches for vendored > >> dependencies may be possible to some extent (but of course the vendored > >> package variants could have diverging versions). And then you have to > >> integrate the patch somehow so that it is applied during %prep. This > >> can be tricky to automate due to the varying preferences of package > >> maintainers. > > Yes, that's exactly the point I wanted to make. > > > > Workflow with non-vendored dependencies: > > - update library or backport fix > > - submit rebuilds of dependent applications (with rpmautospec, those > > are no-change commits) > > > > Workflow with vendored dependencies: > > - check out application and vendored sources > > - patch vendored sources > > - repeat checkout / patching for*every affected application* > > go-vendor-tools has an automated mechanism to handle security updates > without needing to generate patches or edit the specfile (other than > bumping Release/%changelog if rpmautospec isn't used) [1]. We could > write a script to automatically checkout each package, use > go-vendor-tools to regenerate the vendor archive with the updated > dependency, and file PRs. This sounds great. Thank you for working on it! (I'd like to have something similar for Rust packages that build with vendored dependencies, at some point, to handle the gnarly bits that are currently there ...) Fabio -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
