On Sun, Jul 9, 2017 at 5:36 PM, Kevin Kofler kevin.kofler@chello.at wrote:
Adam Miller wrote:
In today's FESCo meeting we discussed the fact that there are many
RPMs currently in Fedora (a reported 244 in Rawhide currently) that are defining a `Provides: bundled(<lib>) = <version>` but excluding the version completely[0][1]. This removes that ability to properly perform source code auditing and security vulnerability tracking.
My question to the Fedora Contributor Community is, how should we handle this? Is this something that should just simply be fixed by the packages currently violating the Guidelines, should the Guidelines be altered in a way that makes this easier to deal with for Packagers but also provides what is needed for auditing and vulnerability tracking, or is there simply clarification needed by what is required in the <version> field?
A version number may not even exist at all. Not all code that people copy is a library with a version number. Copylibs often don't bother doing releases because everyone just embeds it as a git submodule or checks out some random revision to copy into their own SCM. Hence, it is not realistic to require a version number.
So should we just stop requiring any RPMs be versioned since it's not realistic to require a version number?
-AdamM
Kevin Kofler
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org