Proposal to reduce anti-bundling requirements

Matthew Miller mattdm at
Fri Oct 2 14:22:31 UTC 2015

On Fri, Oct 02, 2015 at 02:19:19PM +0200, Ralf Corsepius wrote:
>> only for projects where upstream is fully active and cares about the
>> security vulnerabilities in the bundled copies of software well.
> Correct. That's one of the criteria, FPC is trying to consider when
> granting bundling exceptions. Openly said, these are the easy cases,
> we often grant bundling exceptions.
> The problematic ones are those cases, when it's obvious upstream
> lacks experience and/or technical skills to understand "unbundling"
> /"bundling" and resources to take care about "upstreams of their
> bundled sources. These often are smaller projects - in many cases -
> one-man shows.

Ralf, right now the documented list of reasons FPC might allow
exceptions don't give this impression. The closest I see is "Active
upstream Security Team", but that has a number of qualifications linked
by capital-letters and bold, like "the upstream project is actively
working on unbundling" and also notes "this rationale may not be
sufficient in and of itself" and that this exception is likely to be

Would you be open to a much broader guideline for exceptions, where the
expected, default answer would be "yes" when the upstream demonstrates
concern for security whether by unbundling or by generating their own
updates in a responsive fashion?

(To be clear, I personally am in favor of also allowing more relaxed
bundling for smaller projects which are on the fringes of the system
integration you discuss. In other words, vastly expanding the "too
small to care" exception.)

Matthew Miller
<mattdm at>
Fedora Project Leader

More information about the devel mailing list