Consequences of library bundling (was: Re: OpenH264 in Fedora)
fweimer at redhat.com
Thu Nov 7 12:49:22 UTC 2013
On 11/06/2013 08:52 PM, Adam Jackson wrote:
> Again: don't stop the solution short based on what the current code
> happens to implement.
> If we're building the bundles - and there's reasons we would want to -
> then we know the patches we need to apply.
Despite significant efforts, we still have some trouble doing precisely
that in the current environment. Ensuring that critical changes are
applied to all relevant branches pretty much relies on individual
developer effort and attention.
From a birds-eye view, we perform bundling at the distribution level.
Carrying patches back and forth is not easy. We've been dealing with
this for a decade or more, yet supporting technology is still scarce.
This has little to do with RPM and its limitations because it's about
making sure that dist-git (both Fedora and further downstream) have the
required or best possible versions of the code base. At this stage, the
lack of multiple RPM database, multiple versions of the same package,
etc. does not come into play. There are some constraints due to the
processes involved, but everyone is free to use the data that is just
out there and start their own side project to tackle this problem. Yet
this hasn't happened. There have been some research efforts, but
nothing came out of that which actually had a chance of integration.
(Other distributions face the same challenge.)
That's why I'm fairly convinced that the delivery mechanism isn't
holding back a solution. It's just a very difficult problem, no matter
how you eventually ship your bits.
Florian Weimer / Red Hat Product Security Team
More information about the devel