Proposal to reduce anti-bundling requirements

Ralf Corsepius rc040203 at
Fri Oct 2 12:11:46 UTC 2015

On 10/02/2015 01:18 PM, Vít Ondruch wrote:
> Dne 30.9.2015 v 16:52 Ralf Corsepius napsal(a):
>> Like I've said many times before, I feel Fedora needs a serious
>> vulnerability in a widespread bundled or static library, such that
>> people finally comprehend the harm of bundling.
> This harms Fedora but not the upstream project which bundles.
Exactly. This "bundling everything" is upstream-centric. It's convenient 
to them, but it's harmful to wider system integration.

> If there
> is discovered security issue in the bundled library, they fix it and
> release new version, they are in users view the good guys who cares
> about security.
Only if there is an active upstream, who actively works on its bundled 
sources. This applies to bigger projects such as Firefox and Chromium, 
but often doesn't apply to smaller projects.

There, bundled sources often pretty soon don't get much attention and 
simply rot. Worse, when such upstream goes AWOL.

> I am afraid that no matter how much education you'd like to apply to
> this issue, you will never reduce it, since honestly, most of the
> development is done on different platforms then Linux, where bundlind of
> various kinds is a norm.
Sure, but IMO, this shouldn't be reason for us to follow these system's 

When you have a look at these systems, you'll soon notice bundling is 
one of the primary causes for vulnerabilities on these systems.

> And TBH, as much as I hate this reduction of anti-budnling requirements,
> I also hate to hear from upstream that they don't wish their SW to be
> included in Fedora, since we break it due to unbundling policies.
So be it. It's their decision - I don't want Fedora to be taken hostage 
by short sighted upstreams and their non-system-integratible designs.

Also, if there's  sufficient interested in a piece of SW and if their 
design isn't too crappy, it should not be much of a problem for Fedora 
to properly integrate a SW into Fedora.


More information about the devel mailing list