On Thu, Sep 15, 2022 at 11:54:13AM -0700, Adam Williamson wrote:
On Thu, 2022-09-15 at 10:55 -0700, Kevin Fenzi wrote:
> On Thu, Sep 15, 2022 at 09:26:36AM +0300, Alexander Bokovoy wrote:
> >
> > Proven packagers seem to be a fair category to address. Also packagers
> > responsible for security-related bits of the distribution. Compilers?
>
> Well, as others noted in this thread, any packager has a lot of power.
> They can add a weak dep on something everyone has installed and pull
> their package in. Of course they likely only get to do that once.
I kinda feel like we really ought to just stick a check for this
*somewhere*. An alert should pop up somewhere any time anyone adds a
Supplements: line to *anything*. It's a sufficiently odd thing to do
that it shouldn't happen very often, I think...
I suspect in the past the answer to this would be "Patrick probably
does it already". Did we find a Patrick 2.0 yet? :D
Ha. no.
There is a hook we have that notifies people when someone adds an
exclude/exclusivearch. We could make another one that checks for
Suggests I suppose.
They could just add Requires tho, or add something that makes the auto
dep generating scripts add a requires or suggests.
So, perhaps a CI check would be better, to check the actual produced
binary package.
kevin