Inter-WG coordination: Stable application runtimes

Colin Walters walters at
Mon Jan 13 17:21:05 UTC 2014

On Mon, 2014-01-13 at 08:39 -0500, Matthew Miller wrote:
> On Sun, Jan 12, 2014 at 04:39:12PM -0800, Adam Williamson wrote:
> > You're preaching to the choir. But if in practice people really don't
> > deploy things via the distribution packages, it doesn't matter how
> > awesomely secure the distribution packages are. Something that you're
> > not using is never providing you with any additional security.
> So for me, the question is: how can we make these things at least meet in
> the middle? Can we bring some of the distro benefits to the application
> deployment area?

One thing I would really like is improved tooling for mapping from
upstream sources to RPMs that works *over time*.

Right now tools like "cpanspec" exist, and you can use them one time,
but Fedora currently rather insists that the spec file that lives in pkg
git is canonical - it doesn't really work to attempt to rerun

Many upstream build/deployment systems have substantial portions of the
metadata (BuildRequires/Requires) that RPM needs, it just needs to be
manually maintained/duplicated in the spec.

(One concrete thing to make this work is that RPM needs the ability to
look at the *unpacked* upstream sources before processing BuildRequires)

More information about the devel mailing list