https://bugzilla.redhat.com/show_bug.cgi?id=1218758 --- Comment #12 from Richard Shaw <hobbes1069@xxxxxxxxx> --- (In reply to Christopher Meng from comment #11) > I haven't read the thread of that change recently in devel, I don't plan to > read it because I'm against the relaxed attitude of that policy always. But > in this case I don't think unbundling the library is worthwhile. Both the no bundled libraries and treatment of bundled libraries wiki links are essentially gone so there's no guidance at this point. Due to the degree of modification I can't attribute the bundled copy of mongoose to a particular version but I did add the virtual provide, so in the rare case that some CVE is issued, I'll follow up with upstream and see if the bundled copy has the same vulnerability. > I'd focus on that security issue reported by rpmlint, honestly, OSX sucks > more. I'm not enough of a security expert but mongoose issue link above explains their reasoning, so I'm not sure what to do beyond that. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review