[Proposal] Ring-based Packaging Policies

Ralf Corsepius rc040203 at freenet.de
Fri Feb 13 12:54:59 UTC 2015


On 02/13/2015 10:56 AM, Petr Spacek wrote:

> Modified version of Zbyszek's idea with time constraints follows:
>
> 1) Accept the new package into Fedora N even with bundled libraries.

I am inclined to be Fedora needs to encounter a serious vulnerability 
originating from bundling, such that you guys comprehend, why bundling 
is utterly stupid ;)


For those who don't know what I am talking about:
Many years ago (IIRC, ~1999), nobody cared about static linkage or 
bundling. At this time, it was common to statically link and/or bundle 
libraries.

Then a critically vulnerability was found in libz affecting all Linux 
distros. Nobody knew which packages all bundled and/or statically linked 
against different versions of libz. It took months for all Linux 
distributions to identify their vulnerable packages, to find solutions 
and to release security-fixes.

Meanwhile, we've had much more critical vulnerablities in widely used 
libs (Remember heartbleed), which all have been quite easy to fix 
packaging-wise. IMO, to a great portion, thanks to having mostly banned 
static linkage and bundling.

Ralf



More information about the devel mailing list