"AM" == Adam Miller maxamillion@fedoraproject.org writes:
[...] AM> RPMs currently in Fedora (a reported 244 in Rawhide currently) that AM> are defining a `Provides: bundled(<lib>) = <version>` but excluding AM> the version completely[0][1]. This removes that ability to properly AM> perform source code auditing and security vulnerability tracking.
I would argue that it doesn't remove the ability, but that it does make it more difficult to do in an automated fashion. Basically you can see that something has a bundled library but then you need to do manual inspection to go further.
AM> My question to the Fedora Contributor Community is, how should we AM> handle this?
Identify and mail lists of the problematic packages to devel (using find-package-maintainers from https://pagure.io/fedora-misc-package-utilities if possible). Figure out if there are any cases which aren't easy to fix for some reason.
If there are any, then see if a change is needed to accommodate.
If I had to hazard a guess, I would say that there are at least some cases where it's not really obvious what version to use. This would make sense in the case of a fork that's undergone significant rewriting. Though I wonder if any bundled(X) tag is even warranted in that case.
Alternatively, say that you don't have to specify a version, but if you don't then you will get every related security bug filed against your package instead of having those filtered by version.
- J<