>>>> "AM" == Adam Miller
AM> RPMs currently in Fedora (a reported 244 in Rawhide currently) that
AM> are defining a `Provides: bundled(<lib>) = <version>` but excluding
AM> the version completely. This removes that ability to properly
AM> perform source code auditing and security vulnerability tracking.
I would argue that it doesn't remove the ability, but that it does make
it more difficult to do in an automated fashion. Basically you can see
that something has a bundled library but then you need to do manual
inspection to go further.
AM> My question to the Fedora Contributor Community is, how should we
AM> handle this?
Identify and mail lists of the problematic packages to devel (using
if possible). Figure
out if there are any cases which aren't easy to fix for some reason.
If there are any, then see if a change is needed to accommodate.
If I had to hazard a guess, I would say that there are at least some
cases where it's not really obvious what version to use. This would
make sense in the case of a fork that's undergone significant rewriting.
Though I wonder if any bundled(X) tag is even warranted in that case.
Alternatively, say that you don't have to specify a version, but if you
don't then you will get every related security bug filed against your
package instead of having those filtered by version.