Proposal to reduce anti-bundling requirements

Vít Ondruch vondruch at redhat.com
Fri Oct 2 11:18:18 UTC 2015 

Dne 30.9.2015 v 16:52 Ralf Corsepius napsal(a):
> On 09/30/2015 04:25 PM, Reindl Harald wrote:
>>
>>
>> Am 30.09.2015 um 16:13 schrieb Orion Poplawski:
>>> On 09/30/2015 07:45 AM, Fabian Deutsch wrote:
>>>> Yes, I also see this as a good compromise.
>>>> We then have the ability to at least track bundling.
>>>>
>>> I'd just like to point out that we have always had the requirement for
>>> package that bundled libraries to carry the "Provides:
>>> bundled(libname)"
>>> metadata.  What's new here is not needing to go through the FPC to get
>>> an exception.  Which perhaps leads to people not declaring their
>>> packages bundled libraries.
>>
>> how do you come to that conclusion?
>>
>> people not declaring their bundles and not care about policies did the
>> same before: not declare it and not ask for exceptions - there is a
>> logical flow in "now that i don't need to ask FPC i don't declare it"
> Exactly, that's what I would consider a serious regression.
>
> This proposal effectively is a carte-blanche to bundling and
> carelessness, which I would expect to seriously impact the quality of
> Fedora.
>
>> the opposite is more likely: people trying to avoid the FPC burden now
>> can declare it without fearing somebody takes notice and points out a
>> violation
> If they don't care or are not aware about the consequences of their
> bundling?

From upstream POV, the view is totally different. Thy bundle one
library, if there is vulnerability in it, they fix it on single place.
In Fedora, we probably need to fix in on several other places as well,
but that does not matter for upstream.

>
> Like I've said many times before, I feel Fedora needs a serious
> vulnerability in a widespread bundled or static library, such that
> people finally comprehend the harm of bundling.

This harms Fedora but not the upstream project which bundles. If there
is discovered security issue in the bundled library, they fix it and
release new version, they are in users view the good guys who cares
about security. If we fix the same issue in unbundled library, it is
invisible for users and at the end they demand updated version of the
upstream project, since they believe that the issues is not fixed in
Fedora yet.

I am afraid that no matter how much education you'd like to apply to
this issue, you will never reduce it, since honestly, most of the
development is done on different platforms then Linux, where bundlind of
various kinds is a norm.

And TBH, as much as I hate this reduction of anti-budnling requirements,
I also hate to hear from upstream that they don't wish their SW to be
included in Fedora, since we break it due to unbundling policies.


Vít

More information about the devel mailing list