>>>> "AM" == Adam Miller
<maxamillion(a)fedoraproject.org> writes:
[...]
AM> RPMs currently in Fedora (a reported 244 in Rawhide currently) that
AM> are defining a `Provides: bundled(<lib>) = <version>` but excluding
AM> the version completely[0][1]. This removes that ability to properly
AM> perform source code auditing and security vulnerability tracking.
I would argue that it doesn't remove the ability, but that it does make
it more difficult to do in an automated fashion. Basically you can see
that something has a bundled library but then you need to do manual
inspection to go further.
AM> My question to the Fedora Contributor Community is, how should we
AM> handle this?
Identify and mail lists of the problematic packages to devel (using
find-package-maintainers from
https://pagure.io/fedora-misc-package-utilities if possible). Figure
out if there are any cases which aren't easy to fix for some reason.
If there are any, then see if a change is needed to accommodate.
If I had to hazard a guess, I would say that there are at least some
cases where it's not really obvious what version to use. This would
make sense in the case of a fork that's undergone significant rewriting.
Though I wonder if any bundled(X) tag is even warranted in that case.
Alternatively, say that you don't have to specify a version, but if you
don't then you will get every related security bug filed against your
package instead of having those filtered by version.
- J<