Proposal to reduce anti-bundling requirements

Tomas Mraz tmraz at
Fri Oct 2 11:46:23 UTC 2015

On Pá, 2015-10-02 at 13:18 +0200, Vít Ondruch wrote:
> Dne 30.9.2015 v 16:52 Ralf Corsepius napsal(a):
> >
> > Like I've said many times before, I feel Fedora needs a serious
> > vulnerability in a widespread bundled or static library, such that
> > people finally comprehend the harm of bundling.
> This harms Fedora but not the upstream project which bundles. If there
> is discovered security issue in the bundled library, they fix it and
> release new version, they are in users view the good guys who cares
> about security. If we fix the same issue in unbundled library, it is
> invisible for users and at the end they demand updated version of the
> upstream project, since they believe that the issues is not fixed in
> Fedora yet.
> I am afraid that no matter how much education you'd like to apply to
> this issue, you will never reduce it, since honestly, most of the
> development is done on different platforms then Linux, where bundlind of
> various kinds is a norm.
> And TBH, as much as I hate this reduction of anti-budnling requirements,
> I also hate to hear from upstream that they don't wish their SW to be
> included in Fedora, since we break it due to unbundling policies.

This seems like a strong argument for the current case where the
bundling exception is provided by FPC. The question is only whether it
needs to be FPC or some another body. The bundling should be approved
only for projects where upstream is fully active and cares about the
security vulnerabilities in the bundled copies of software well. I am
not sure that this should be evaluated just by the single person who
reviews the package for acceptance in Fedora so I do not like the
current proposal. On the other hand the evaluation should be quick and
the current rules seem to me to be slightly too strict.

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

More information about the devel mailing list