On Wednesday, 30 September 2015 at 14:35, Stephen Gallagher wrote:
Just to circle around here (in case people don't read my reply to
the
FESCo meeting agenda), I'm making the following revised proposal[1] to
FESCo which may or may not be discussed at today's meeting (given that
it was submitted late):
=== Mandatory ===
* The Fedora Base Working Group has been tasked with defining the base
platform of Fedora since its inception. As part of this proposal, we
set a deadline for them to provide (and maintain) a specific list of
critical path packages. The critical path set is ''not'' required to be
self-hosting.
* Working Groups for the separate Editions '''may''' voluntarily
add
packages into the critical path atop the Base WG requirements.
* All packages in the critical path '''must''' obey the current
strict
bundling rules.
* All packages not in the critical path whose upstreams allow them to
be build against system libraries '''must''' be built against
system
libraries.
* All packages not in the critical path whose upstreams have no
mechanism to build against system libraries '''must''' be
contacted
publicly about a path to supporting system libraries. If upstream
refuses, this must be recorded in a link included in the spec file.
* All packages not in the critical path whose upstreams have no
mechanism to build against system libraries '''may''' opt to
carry
bundled libraries, but if they do, they '''must''' include
{{{Provides:
bundled(<libname>) = <version>}}} in their RPM spec file.
I strongly object to this last point. If we simply allow free bundling
provided that it's recorded then we're opening a can of worms each
having a different CVE written on their backs. A recently discovered
bundling of lua[2] (with an actual open CVE) in luatex (and probably
in many more packages) is a good example of why this is a bad idea.
The current FPC bundling exception process should be preserved,
otherwise we're effectively removing all motivation to work with
upstreams on unbundling.
=== Strongly Recommended ===
* Packages in the critical path should be re-reviewed every two years
(possibly as a Flock workshop) to avoid unintentional divergence from
the policies.
+1
[2]
https://fedorahosted.org/fpc/ticket/569
Regards,
Dominik
--
Fedora
http://fedoraproject.org/wiki/User:Rathann
RPMFusion
http://rpmfusion.org
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"