[Proposal] Ring-based Packaging Policies

Björn Persson Bjorn at xn--rombobjrn-67a.se
Thu Feb 12 23:33:24 UTC 2015


Stephen Gallagher wrote:
>* The package *MAY* contain bundled libraries or other projects, but if
>it does so, it *MUST* contain a "Provides: bundled(pkg) = version" for
>each such bundling. This is done so that we can use the meta-data to
>identify which packages may be vulnerable in the event of a security
>issue.

Before (and if) this becomes policy, it must be defined exactly what
"pkg" shall be. In some cases it's obvious. In other cases a name
exists in multiple variants. If we end up with one package bundling
"gpg", another "gnupg" and a third "gpg2", then the policy hasn't
fulfilled its purpose of making it easy to find all packages that
bundle a particular piece of software.

Shall it be the name of the RPM package in Fedora? Or the source RPM
package? But what if there isn't a Fedora package of the bundled
software? Shall it be the name of the upstream source tarball? Some
projects don't even release tarballs. The soname? That works only for
compiled libraries. The project name on Sourceforge/Github/Savannah/...?
The domain name of its website? But one project can distribute multiple
packages, and some projects use multiple websites and nothing enforces
that the name is the same everywhere. Could the name of the root
directory of its source code tree be used? Some source packages
(especially those that are packaged in zip files instead of tarballs)
contain multiple files and directories without a common root directory.

-- 
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150213/70b29902/attachment.sig>


More information about the devel mailing list