Hi, As long as it's explained to upstream why we have this guide, then we've really done all we can. Take Mono.Cecil. It's not in GAC as the API is not stable, so MonoDevelop and a few other packages all come with their own sources of Mono.Cecil which may or may not be the same as the ones we built Mono.Cecil with. As MD accesses it's own Mono.Cecil which it built (which is not in GAC), it is not likely to interfere with anything, however upstream will use that as a reason for including their own sources. Realistically, what can we do about it - nothing as if upstream want to do as they do then all we can do is remove the package or start submitting piles of bugs when things go wrong to try and force them around to our way of doing things. Some may, some may continue regardless. Bit of a bummer that... TTFN Paul -- Sie können mich aufreizen und wirklich heiß machen!

On Thu, 2008-09-18 at 09:05 -0700, Toshio Kuratomi wrote: Maybe have two sets? Fedora Packaging Principals - things that MUST NOT be broken (think - do no harm, ensure patches go upstream, don't replace system libraries in a package etc), and then the Fedora Packaging Guidelines (where there can be a little bit of change due to special circumstances (I can't remove rpath because the package just won't work without it). Agreed I didn't know about the list, I think it'd be a good way to go, I know Debian seem to agree with our policy, it'd be nice to create a united front (in a way) to say to projects that it's unacceptable. Really it all comes down to this: If upstreams have a really good reason to change another upstreams code, why haven't they submit it to their upstream? It gets even more silly when upstreams act as upstream for other minor libraries so that you get 5 or so copies floating about on your system because everyone has had to fork it, because they've explicitly said to maintainers to not package separately/as a subpackage. - NJ -- Nigel Jones <dev(a)nigelj.com&gt;

On Fri, Sep 19, 2008 at 01:41:50AM +1200, Nigel Jones wrote: I'd ask the question differently: If upstream saw itself forced to duplicate/fork a lib how can you help making the forked bits back into the original upstream. I'm not targeting convenience bundling of libs as some projects do/did (these should really be replaced by system libs!), but rather patched up copies of libs that either use specific patches suitable only for that project or the lib upstream generaly is accepting patches at a slow or non-existant rate. Just to quote one such example: ffmpeg is a fast moving target, and any project depending on the lib API is cutting a checkout, patching it a up and using it for its own purposes. Replacing these internal ffmpegs with a system ffmpeg is a nightmare or even impossible w/o rewriting the app interface to it. Given that ffmpeg and friends fall under the patent forbidden class we don't see that directly in Fedora, but this issue is still out there. Other examples that do live in Fedora are minilzo that was never designed to be a shared lib and the consumer apps never designed their build system for a shared minilzo resulting in packages being broken/stalled for months and years before entering Fedora (like libvcnserver and x11vnc). https://bugzilla.redhat.com/show_bug.cgi?id=439772#c21 https://bugzilla.redhat.com/show_bug.cgi?id=439979#c24 I'd recommend to soften this guideline to something as "the packager should try hard to use system libs, and try to communicate the benefits to upstream, but if there are reasons not to use system libs, then he should document this in the specfile". -- Axel.Thimm at ATrpms.net

On Friday, 19 September 2008 at 09:59, Ralf Corsepius wrote: [...] They(we) don't have the manpower to do proper releases, but we do maintain properly versioned API/ABI. The position of a release manager for FFmpeg has been open for months. Many people complained, but nobody is willing to do the legwork. Regards, R. -- Fedora http://fedoraproject.org/wiki/User:Rathann Livna http://rpm.livna.org | MPlayer http://mplayerhq.hu "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"

On Friday, 19 September 2008 at 19:01, Axel Thimm wrote: I've just re-read that thread and AFAICT nobody said it wasn't a good idea. At least one developer offered to help. You even offered to prepare a release candidate but never did. Regards, R. -- Fedora http://fedoraproject.org/wiki/User:Rathann Livna http://rpm.livna.org | MPlayer http://mplayerhq.hu "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"

On Saturday, 20 September 2008 at 11:34, Axel Thimm wrote: I have no idea what you're talking about. Who was banned, exactly? I never saw you asking for that. Regards, R. PS. Feel free to continue off-list, this is getting off-topic. -- Fedora http://fedoraproject.org/wiki/User:Rathann Livna http://rpm.livna.org | MPlayer http://mplayerhq.hu "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"

Axel Thimm wrote: Upstream is wrong. The consequences of their actions don't come back to haunt them, though, they come back to haunt us. If there's a security hole in their library snapshot, their answer can be "we fixed that two months ago. Why didn't you update?" Our answer would have to be: "We have an unfixed vulnerability in gnome-foo-player, toms-foo-player, and foo-plus-player. We are not able to fix these until we perform a port to an incompatible ffmpeg snapshot for the maintainers of the affected software." I think there is benefit: 1) If the library is statically linked in the application it's harder to find in a quick audit. 2) If the flaw affects a range of library versions (for instance, 899.x.y is unaffected), having them be packaged separately makes finding the affected versions and fixing them easier than finding out which versions of the private library each app has. Also, one of the goals of a distribution is to make programs and libraries work together. So the approach we'd likely want to take is choosing a few versions of the library that we could support (probably in conjunction with other distros) and then porting the apps to one of those library versions and getting upstreams to update their private libs to those versions since we were willing to do the port for them. I am against this approach. But perhaps you'll have a useful counter to the points I raised. -Toshio

Axel Thimm wrote: This one's not true. We've already released it. If we remove gnome-foo-player, toms-foo-player, and foo-plus-player from the repository, all we're doing is keeping future people from getting the software. We aren't helping the people who have already received the software. You didn't address the benefits that I outlined below: It might be. If we don't have the manpower to keep things secure then we have no business inflicting them upon our users. >>>>> Just to quote one such example: ffmpeg is a fast moving target, and >>>>> any project depending on the lib API is cutting a checkout, patching >>>>> it a up and using it for its own purposes. Replacing these internal >>>>> ffmpegs with a system ffmpeg is a nightmare or even impossible w/o >>>>> rewriting the app interface to it. Given that ffmpeg and friends fall >>>>> under the patent forbidden class we don't see that directly in Fedora, >>>>> but this issue is still out there. >>>> Well, ffmpeg is a special case wrt. many issues. If they were doing a >>>> proper job, they would release properly versioned packages with properly >>>> versioned APIs, which could be installed in parallel. >>> Even if so, would Fedora package 20 different versions of ffmpeg to >>> satisfy the 20 different consumers? There wouldn't be any benefits to >>> an internal lib either: If there is a security flaw fixed in ffmpeg >>> 1004.0.1 the versions 900.x.y to 1003.x.y would be just as insecure as >>> external packages. >>> >> I think there is benefit: >> >> Also, one of the goals of a distribution is to make programs and >> libraries work together. So the approach we'd likely want to take is >> choosing a few versions of the library that we could support (probably >> in conjunction with other distros) and then porting the apps to one of >> those library versions and getting upstreams to update their private >> libs to those versions since we were willing to do the port for them. > > Well, be my guest. Many have attempted to do so in some cases, but if > upstream is *fast*, you will never catch up, and different > distributions will chose different snapshots depending on the consumer > apps they target, so coordinating will be more than difficult. > > But in principle I agree: If we could afford the manpower to keep all > comsumers compatible to the latest stable release of a library that > would be the ideal world. But we don't have that manpower, which is > not just packaging, but true upstream work. > > A reality check shows that we even lack the definition of "latest > stable upstream release" in some cases like ffmpeg. > Re-read what I wrote. I'm saying "choosing a few versions of the library that we could support (probably in conjunction with other distros) and then porting the apps to one of those library versions". If there's a set of packages that we care enough about that use a library which can't commit to an API for more than a month then we and other distros have to care about the situation and fix it between ourselves. And yes, this is programming that I'm talking about, not just packaging. heh. Okay. :-) -Toshio

On Fri, Sep 19, 2008 at 02:56:25PM +0200, Dominik 'Rathann' Mierzejewski wrote: Note I mentioned the API, which is still changing on a regular basis. For ffmpeg it doesn't actually help that there are no releases ever either. Unless ffmpeg actually releases anything again I doubt that too many projects will try to depend on an external shared lib whose API stability window is a few weeks. This is not a criticism against the very nice work of the ffmpeg people. They just need the freedom of a non stable API for being able to develop as fast and take into account that projects need to cut a snapshot (actually they enforce this explicitely). -- Axel.Thimm at ATrpms.net

On Fri, Sep 19, 2008 at 07:55:38PM +0200, Dominik 'Rathann' Mierzejewski wrote: The soname changes are for the ABI changes, the API does change more than often. So the recent moving of the header files which is part of the API was three years ago and not that summer? Everything that requires an upstream's intervention to make a library link again is API breakage. If the consumer app FTBFS it's an API breakage. 3 years ago ffmpeg was a different project. Try building anything from livna against a one year old ffmpeg, you'll be surprised. :/ -- Axel.Thimm at ATrpms.net