Proposal to reduce anti-bundling requirements

Dominik 'Rathann' Mierzejewski dominik at greysector.net
Thu Oct 1 20:01:29 UTC 2015


On Wednesday, 30 September 2015 at 14:35, Stephen Gallagher wrote:
> Just to circle around here (in case people don't read my reply to the
> FESCo meeting agenda), I'm making the following revised proposal[1] to
> FESCo which may or may not be discussed at today's meeting (given that
> it was submitted late):
> 
> 
> === Mandatory ===
> * The Fedora Base Working Group has been tasked with defining the base
> platform of Fedora since its inception. As part of this proposal, we
> set a deadline for them to provide (and maintain) a specific list of
> critical path packages. The critical path set is ''not'' required to be
> self-hosting.
> * Working Groups for the separate Editions '''may''' voluntarily add
> packages into the critical path atop the Base WG requirements.
> * All packages in the critical path '''must''' obey the current strict
> bundling rules.
> * All packages not in the critical path whose upstreams allow them to
> be build against system libraries '''must''' be built against system
> libraries.
> * All packages not in the critical path whose upstreams have no
> mechanism to build against system libraries '''must''' be contacted
> publicly about a path to supporting system libraries. If upstream
> refuses, this must be recorded in a link included in the spec file.
> * All packages not in the critical path whose upstreams have no
> mechanism to build against system libraries '''may''' opt to carry
> bundled libraries, but if they do, they '''must''' include {{{Provides:
> bundled(<libname>) = <version>}}} in their RPM spec file.

I strongly object to this last point. If we simply allow free bundling
provided that it's recorded then we're opening a can of worms each
having a different CVE written on their backs. A recently discovered
bundling of lua[2] (with an actual open CVE) in luatex (and probably
in many more packages) is a good example of why this is a bad idea.

The current FPC bundling exception process should be preserved,
otherwise we're effectively removing all motivation to work with
upstreams on unbundling.

> === Strongly Recommended ===
> * Packages in the critical path should be re-reviewed every two years
> (possibly as a Flock workshop) to avoid unintentional divergence from
> the policies.

+1

> [1] https://fedorahosted.org/fesco/ticket/1483
[2] https://fedorahosted.org/fpc/ticket/569

Regards,
Dominik
-- 
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org
"Faith manages."
        -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"


More information about the devel mailing list