Proposal to reduce anti-bundling requirements

Ralf Corsepius rc040203 at
Fri Oct 2 12:19:19 UTC 2015

On 10/02/2015 01:46 PM, Tomas Mraz wrote:
> On Pá, 2015-10-02 at 13:18 +0200, Vít Ondruch wrote:
>> Dne 30.9.2015 v 16:52 Ralf Corsepius napsal(a):
>>> Like I've said many times before, I feel Fedora needs a serious
>>> vulnerability in a widespread bundled or static library, such that
>>> people finally comprehend the harm of bundling.
>> This harms Fedora but not the upstream project which bundles. If there
>> is discovered security issue in the bundled library, they fix it and
>> release new version, they are in users view the good guys who cares
>> about security. If we fix the same issue in unbundled library, it is
>> invisible for users and at the end they demand updated version of the
>> upstream project, since they believe that the issues is not fixed in
>> Fedora yet.
>> I am afraid that no matter how much education you'd like to apply to
>> this issue, you will never reduce it, since honestly, most of the
>> development is done on different platforms then Linux, where bundlind of
>> various kinds is a norm.
>> And TBH, as much as I hate this reduction of anti-budnling requirements,
>> I also hate to hear from upstream that they don't wish their SW to be
>> included in Fedora, since we break it due to unbundling policies.
> This seems like a strong argument for the current case where the
> bundling exception is provided by FPC. The question is only whether it
> needs to be FPC or some another body. The bundling should be approved
> only for projects where upstream is fully active and cares about the
> security vulnerabilities in the bundled copies of software well.
Correct. That's one of the criteria, FPC is trying to consider when 
granting bundling exceptions. Openly said, these are the easy cases, we 
often grant bundling exceptions.

The problematic ones are those cases, when it's obvious upstream lacks 
experience and/or technical skills to understand "unbundling" 
/"bundling" and resources to take care about "upstreams of their bundled 
sources. These often are smaller projects - in many cases - one-man shows.


More information about the devel mailing list