Consequences of library bundling (was: Re: OpenH264 in Fedora)

[Florian Weimer]

On 11/06/2013 08:52 PM, Adam Jackson wrote:

> Again: don't stop the solution short based on what the current code
> happens to implement.
>
> If we're building the bundles - and there's reasons we would want to -
> then we know the patches we need to apply.

Despite significant efforts, we still have some trouble doing precisely 
that in the current environment.  Ensuring that critical changes are 
applied to all relevant branches pretty much relies on individual 
developer effort and attention.

 From a birds-eye view, we perform bundling at the distribution level. 
Carrying patches back and forth is not easy.  We've been dealing with 
this for a decade or more, yet supporting technology is still scarce. 
This has little to do with RPM and its limitations because it's about 
making sure that dist-git (both Fedora and further downstream) have the 
required or best possible versions of the code base.  At this stage, the 
lack of multiple RPM database, multiple versions of the same package, 
etc. does not come into play.  There are some constraints due to the 
processes involved, but everyone is free to use the data that is just 
out there and start their own side project to tackle this problem.  Yet 
this hasn't happened.  There have been some research efforts, but 
nothing came out of that which actually had a chance of integration. 
(Other distributions face the same challenge.)

That's why I'm fairly convinced that the delivery mechanism isn't 
holding back a solution.  It's just a very difficult problem, no matter 
how you eventually ship your bits.

-- 
Florian Weimer / Red Hat Product Security Team