Proposal to reduce anti-bundling requirements

Zdenek Kabelac zkabelac at redhat.com
Fri Sep 11 13:43:51 UTC 2015 

Dne 11.9.2015 v 15:39 Reindl Harald napsal(a):
>
> Am 11.09.2015 um 15:27 schrieb Zdenek Kabelac:
>> Dne 11.9.2015 v 15:22 Eric Griffith napsal(a):
>>>
>>> On Sep 11, 2015 9:03 AM, "Zdenek Kabelac" <zkabelac at redhat.com
>>> <mailto:zkabelac at redhat.com>> wrote:
>>>  >
>>>  > Dne 11.9.2015 v 14:46 Germano Massullo napsal(a):
>>>  >
>>>  > Fault #1
>>>  > (I've already complained that usage of rawhide & rpmfusion is
>>> getting silly)
>>>  >
>>>  >
>>> How is the usage getting silly? *genuinely confused* Id love for
>>> Fedora to
>>> have everything in the repos (A la Arch) but for legal and philosophical
>>> reasons it's not possible.
>>
>> My complain here is about packaging libraries.
>> And just because a library has been upgraded from version .so.2 to
>> version .so.4  and you can't have both (as the new one replaces old one
>> by Fedora policy) - you cannot normally use rpmfusion.
>
> the whole point of a *shared library* is to have single versions of libraries
> and not 10 versions you need to seek if they are affacted from wahtever
> security relevant bug, in many cases it will be impossible to answer that
> question
>
> and no, backporting of fixes is not the solution, ignoring manpower here, how
> often do you think developers are fixing some bug and even not realize it was
> security relevant and so no CVE is assigned
>
> not long ago glibc was affactd by such a case
>
>> The best part is - the library itself is mostly useless - but because of
>> packaging policy - if you want to use rpmfusion - you have to basically
>> build
>> lib-compat-like (Fedora way) libraries yourself - that's what I call
>> silly....
>
> no, rpmfusion just need to cope with rawhide changes and rebuild as Fedora does
>

We are not solving here 'ideal' word where every one has tons of free time and 
could rebuild everything all day&night.

This Fedora plan simply puts too much work at everyone's hands.

Sure - people who care about safety might have some option - like  I always 
want to have ONLY the latest lib - and drop everything else, but there are 
still lot of users who could live with   older libs quite happilly  (and 
especially in the case they do not use the library in question AT ALL - which 
is the maint point here).


Zdenek

More information about the devel mailing list