Proposal to reduce anti-bundling requirements

Matthew Miller mattdm at fedoraproject.org
Thu Oct 8 23:51:55 UTC 2015


On Fri, Oct 09, 2015 at 12:58:05AM +0200, Kevin Kofler wrote:
> Only if you call patches to the build system (with little to no changes to 
> the actual code) a "fork".

There might be some wording change to "upstreams allow" in the new
policy to include this as should-be-unbundled cases — although I'm not
sure it's valuable in the cases where the bundled libraries aren't
already packaged.

> Huh? 3 simple steps to unbundling (>90% success rate, especially with the 
> growing number of stupid upstreams that bundle not out of necessity, but 
> because they simply don't believe in unbundling):

Possibly easy upfront, but then, what if there's an API mismatch
between either an update of this package and the system lib such that
the unbundled combination no longer works? Then, something that was
easy for the packager suddenly becomes a programming problem.

> Do you have any concrete examples where unbundling libraries caused security 
> issues? To me, this looks like a very abstract threat, and in no way 
> comparable to the major security risk posed by outdated bundled libraries.

Curl, compiled against a version of ssl different from what the code
expects.


> What kind of automated tooling? The only kind of tooling I can think of is 
> tooling to automatically upgrade bundled libraries, but then you end up 
> causing exactly the same "new, unique bugs" as when just using the system 
> library (or conversely, if it works just fine, just using the system library 
> would work just as fine!), without the other advantages of unbundling (disk 
> space, RAM and update download bandwidth savings).

Find all the bundled libraries in all of Fedora, even with minor
variations in code and version. When there's a vulnerability,
automatically generate patches, bump the RPMs, rebuild test builds, run
them through automated testing (including a new test for whatever
just-revealed CVE), and ping the maintainers.





-- 
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader


More information about the devel mailing list