"Unbundling SIG" was [Re: Summary/Minutes from today's FESCo Meeting (2015-10-07)]

Matthew Miller mattdm at fedoraproject.org
Fri Oct 9 17:33:37 UTC 2015 

On Fri, Oct 09, 2015 at 11:00:30AM -0400, Stephen Gallagher wrote:
> > +1 And I was serious about it, rather sticking to guidelines as if
> > they were dogma, I prefer positive actions to fight poor
> > practices.
> I'm thoroughly behind this. I think an unbundling SIG is a far better
> solution to the bundling problem than the high barrier-to-entry and
> poor-enforcement solution that we had previously.
> Having a group of motivated and knowledgeable individuals focused on
> removing unnecessary bundling would be far more likely to result in
> secure *and* usable software. I'd be more than happy to participate in
> such a SIG as time allows.

One of Kevin's concerns — I think I can state fairly! — is that the
previous policy had basically the strongest teeth we have for anything
in Fedora. If you don't debundle, you can't participate.

I think we should generally trust the package maintainers to make the
right call on whether debundling would be _actively problematic_ for
their package. But, going back to my triangle illustration:

A. For packagers with inclination and availability, but short on
expertise, the Unbundling SIG will be clearly valuable. The SIG could
offer patches both initially and when needed on an ongoing basis.
(Possibly the policy would be for someone from the SIG to become a
comaintainer, or possibly even use provenpackager privs for this
purpose with coordination with the package's primary contact.)

B. For packagers with inclination and expertise, but no *time*, pretty
much the same deal.

C. Now, when we get to availablity and expertise but no inclination....
well, let me break that down further.

When the packager has reasoned belief that debundling is actively bad
in some way for this package, I think we should trust the packager. I
know not everyone on this thread agrees, but in general, Fedora
*always* places a high level of trust in our packagers to make the
right call in all sorts of situations. Here, perhaps some of the
current (former?) pages on the rationale for unbundling could be moved
into the Unbundling SIG's space and used as guidance.

But, in the case where the packager just doesn't see it as important,
maybe the Unbundling SIG could have a stronger mandate, possibly
overseen by the FPC, to also sign up for comaintainership and make the
necessary packaging changes.

In cases where the bundled libraries already exist in Fedora, this
might be as simple as changing the "packages whose upstreams allow them
to be built against system libraries must be built against system
libraries" to "packages which can be correctly built against libraries
already packaged separately in Fedora must use those libraries, or get
an exception from the FPC".
   
If the bundled libraries *don't* already exist separately in Fedora,
the previous policy required the would-be packager to do what is often
a huge amount of work to separate them, and in many cases, that was for
very, very little actual gain, as these then just became new leaves
with only one consumer. I'm not very excited about policies which
demand that other people do work — not necessarily as a matter of
libertarian principles, but just as practicality. Obviously we're not
Debian, but I think this part from their Getting Started guide applies
to volunteer software projects in general:

* We all are volunteers.
 * You cannot impose on others what to do.
 * You should be motivated to do things by yourself.

<https://www.debian.org/doc/manuals/maint-guide/start.en.html#socialdynamics>

and in that light, I think if there's something which isn't previously
available but *could* be, and which the Unbundling SIG indentifies as
important, the Unbundling SIG could work to make those libs available
independently, turning this into the previous case.


I'd also like to see something like:

   When adding a package which carries a bundled library, the name
   chosen in "Provides: bundled(<libname>)" should match the naming
   guidelines as if that package were provided separately. When in
   doubt, check with the FPC.

   When adding this line, please run [whatever command] to find
   existing packages which provide that library, and consider
   contacting the maintainers of those packages and the Unbundling SIG
   to work on an effort to make this into a separate, shared package.
   See [Why Bundled Libraries Are Bad] for details on how this benefits
   Fedora maintainers and users.



-- 
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader

More information about the devel mailing list