Dne 7.7.2017 v 19:43 Jason L Tibbitts III napsal(a): >>>>>> "AM" == Adam Miller <maxamillion@xxxxxxxxxxxxxxxxx> writes: > [...] > AM> RPMs currently in Fedora (a reported 244 in Rawhide currently) that > AM> are defining a `Provides: bundled(<lib>) = <version>` but excluding > AM> the version completely[0][1]. This removes that ability to properly > AM> perform source code auditing and security vulnerability tracking. > > I would argue that it doesn't remove the ability, but that it does make > it more difficult to do in an automated fashion. Basically you can see > that something has a bundled library but then you need to do manual > inspection to go further. > > AM> My question to the Fedora Contributor Community is, how should we > AM> handle this? > > Identify and mail lists of the problematic packages to devel (using > find-package-maintainers from > https://pagure.io/fedora-misc-package-utilities if possible). Figure > out if there are any cases which aren't easy to fix for some reason. > > If there are any, then see if a change is needed to accommodate. > > If I had to hazard a guess, I would say that there are at least some > cases where it's not really obvious what version to use. I can support this guess. For example, ruby.spec has following provides: ~~~ # Virtual provides for CCAN copylibs. # https://fedorahosted.org/fpc/ticket/364 Provides: bundled(ccan-build_assert) Provides: bundled(ccan-check_type) Provides: bundled(ccan-container_of) Provides: bundled(ccan-list) ~~~ If you can tell me what version it should specify, I'll happily add the versions. And I also remember lengthy discussions with OkJson upstream (this is original bundling exception [1]) about versions. BTW is it enough to used git hash as a version? This does not seems right .... Vít [1] https://fedorahosted.org/fpc/ticket/113 _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx
