>>>>> "AM" == Adam Miller <maxamillion@xxxxxxxxxxxxxxxxx> writes: [...] AM> RPMs currently in Fedora (a reported 244 in Rawhide currently) that AM> are defining a `Provides: bundled(<lib>) = <version>` but excluding AM> the version completely[0][1]. This removes that ability to properly AM> perform source code auditing and security vulnerability tracking. I would argue that it doesn't remove the ability, but that it does make it more difficult to do in an automated fashion. Basically you can see that something has a bundled library but then you need to do manual inspection to go further. AM> My question to the Fedora Contributor Community is, how should we AM> handle this? Identify and mail lists of the problematic packages to devel (using find-package-maintainers from https://pagure.io/fedora-misc-package-utilities if possible). Figure out if there are any cases which aren't easy to fix for some reason. If there are any, then see if a change is needed to accommodate. If I had to hazard a guess, I would say that there are at least some cases where it's not really obvious what version to use. This would make sense in the case of a fork that's undergone significant rewriting. Though I wonder if any bundled(X) tag is even warranted in that case. Alternatively, say that you don't have to specify a version, but if you don't then you will get every related security bug filed against your package instead of having those filtered by version. - J< _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx
