On Sat, Oct 30, 2010 at 12:01:25AM +0100, Jeroen van Meeuwen wrote: > Toshio Kuratomi wrote: > > > If you're on packaging@xxxxxxxxxx, we should probably take discussion > > > there. > > > > > > Here's the fpc ticket with the question of whether we should relax the > > > guidelines: > > > https://fedorahosted.org/fpc/ticket/15 > > > > > > Note that your description of the rubygem-passenger system could still fail > > > to pass the test under revised guidelines depending on what they turn out > > > to be. For instance, the guidelines might allow bundling of the latest > > > upstream version or of the version provided by Fedora, or they might > > > require that the package maintainer be able to code fixes should they be > > > necessary. It's probably a good idea to join packaging@xxxxxxxxxx and > > > give reasons that requirements like that aren't needed. > > > > > As per the thread on advisory-board; http://lists.fedoraproject.org/pipermail/ > advisory-board/2010-October/009577.html > > I urge you to consider to allow exceptions like these for the greater benefit > of your users -and thus upstream, through Fedora. > The questions are how? and why? Possible how: Allow apps to bundle libraries period. Possible why: Because users are going to run the apps anyway and if they come from Fedora, at least we can be providing updates to the broken versions as the fixes become available instead of relying on the user to seek them out. Possible how: Apps are allowed to bundle libraries as long as the maintainer commits to keeping the app ported to the newest version of the bundled library within Fedora at all times. Possible why: Security fixes and bugfixes to the library are going to be pushed to the latest versions of packages in Fedora. We need to make sure that the libraries are kept in sync so that we can consume those fixes quickly if a problem arises. We need to make sure that there is someone able to make fixes (the maintainer) in case a problem arises. Possible how: Apps that bundle libraries must get a commitment from FES that FES will maintain code in the apps should it be needed. The commitment must be made for every release that Fedora is released for. Possible why: FES is available to do coding work on the distribution. If they sign up for maintaining a package's code, the maintainer does not need to know how to program (only package). FES, being a group, allows greater flexibility for fixing issues quickly should a security issue need a quick turn-around. Please add more suggestions -- I'm not really satisfied with any of these so there's definitely room for improvement here. -Toshio
Attachment:
pgpcdCdOqHoa_.pgp
Description: PGP signature
-- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
