Hello all,
In today's FESCo meeting we discussed the fact that there are many
RPMs currently in Fedora (a reported 244 in Rawhide currently) that
are defining a `Provides: bundled(<lib>) = <version>` but excluding
the version completely[0][1]. This removes that ability to properly
perform source code auditing and security vulnerability tracking.
My question to the Fedora Contributor Community is, how should we
handle this? Is this something that should just simply be fixed by the
packages currently violating the Guidelines, should the Guidelines be
altered in a way that makes this easier to deal with for Packagers but
also provides what is needed for auditing and vulnerability tracking,
or is there simply clarification needed by what is required in the
<version> field?
I look forward to the discussion.
Thank you,
-AdamM
[0] - https://pagure.io/fesco/issue/1734
[1] - https://pagure.io/packaging-committee/issue/696
_______________________________________________
packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx
