"Unbundling SIG" was [Re: Summary/Minutes from today's FESCo Meeting (2015-10-07)]

Haïkel hguemar at fedoraproject.org
Sat Oct 10 09:05:13 UTC 2015


2015-10-10 1:31 GMT+02:00 Kevin Kofler <kevin.kofler at chello.at>:
> Matthew Miller wrote:
>> When the packager has reasoned belief that debundling is actively bad
>> in some way for this package, I think we should trust the packager. I
>> know not everyone on this thread agrees, but in general, Fedora
>> *always* places a high level of trust in our packagers to make the
>> right call in all sorts of situations. Here, perhaps some of the
>> current (former?) pages on the rationale for unbundling could be moved
>> into the Unbundling SIG's space and used as guidance.
>
> I am worried that a lot of packagers will just refuse to do anything that
> upstream does not support, either:
> * because they ARE upstream, or
> * because they are too worried about offending upstream, or
> * because they are too lazy and/or too busy to rebase patches.
> And the often-cited fact that there are more and more upstreams not
> supporting unbundling only makes this WORSE and is actually a reason for
> MORE strictness in downstream policies, not less!
>
> The new policy does not require any kind of rationale for refusing, just
> saying "no" is enough to block everything.
>

In short: packagers are not to be trusted, that's the bottom line of
your argumentation.

Being putting down stricter guidelines without any means of enforcing
them, you're not solving anything.
FESCo choose to trust contributors to do the right thing and being honest.

>> Obviously we're not Debian, but I think this part from their Getting
>> Started guide applies to volunteer software projects in general:
>>
>> * We all are volunteers.
>>  * You cannot impose on others what to do.
>>  * You should be motivated to do things by yourself.
>>
>> <https://www.debian.org/doc/manuals/maint-guide/start.en.html#socialdynamics>
>
> I find it funny that you are citing Debian in an attempt to support your
> point, because Debian actually has a "no bundled libraries" policy at least
> as strict as our old one.
>
>         Kevin Kofler
>

Wrong, it's even more "laxist" than our current one.
https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles
https://fedoraproject.org/wiki/User:Tibbs/BundlingDraft2

You know the difference? Debian trusts maintainers to do the right
thing by default.
If we can't trust Fedora maintainers, then we have another problem to solve.

Besides, you're not answering the question, Matthew changed the topic
to focus the discussion on the Unbundling SIG proposal.
I think it's a better idea to have a focused group leading that effort
and I hope closely with FPC.

I envision their mission being:
* work on detecting bundled libraries in the current packages collection
* work with package maintainers and upstream developers to reduce bundling.
* document
* cooperate with FPC to apply best practices
* cooperate with security team when CVE is discovered in a bundled lib
(filing tickets or apply fix as provenpackagers)
* provides metrics to follow the progress of that effort.

If you care about reducing bundling, this is a far more effective
solution than stricter guidelines.

Regards,
H.


More information about the devel mailing list