Proposal to reduce anti-bundling requirements

Zdenek Kabelac zkabelac at redhat.com
Fri Sep 11 14:31:51 UTC 2015 

Dne 11.9.2015 v 15:47 Reindl Harald napsal(a):
>
> Am 11.09.2015 um 15:43 schrieb Zdenek Kabelac:
>> Dne 11.9.2015 v 15:39 Reindl Harald napsal(a):
>>>
>>> Am 11.09.2015 um 15:27 schrieb Zdenek Kabelac:
>>>> Dne 11.9.2015 v 15:22 Eric Griffith napsal(a):
>>>>>
>>>>> On Sep 11, 2015 9:03 AM, "Zdenek Kabelac" <zkabelac at redhat.com
>>>>> <mailto:zkabelac at redhat.com>> wrote:
>>>>>  >
>>>>>  > Dne 11.9.2015 v 14:46 Germano Massullo napsal(a):
>>>>>  >
>>>>>  > Fault #1
>>>>>  > (I've already complained that usage of rawhide & rpmfusion is
>>>>> getting silly)
>>>>>  >
>>>>>  >
>>>>> How is the usage getting silly? *genuinely confused* Id love for
>>>>> Fedora to
>>>>> have everything in the repos (A la Arch) but for legal and
>>>>> philosophical
>>>>> reasons it's not possible.
>>>>
>>>> My complain here is about packaging libraries.
>>>> And just because a library has been upgraded from version .so.2 to
>>>> version .so.4  and you can't have both (as the new one replaces old one
>>>> by Fedora policy) - you cannot normally use rpmfusion.
>>>
>>> the whole point of a *shared library* is to have single versions of
>>> libraries
>>> and not 10 versions you need to seek if they are affacted from wahtever
>>> security relevant bug, in many cases it will be impossible to answer that
>>> question
>>>
>>> and no, backporting of fixes is not the solution, ignoring manpower
>>> here, how
>>> often do you think developers are fixing some bug and even not realize
>>> it was
>>> security relevant and so no CVE is assigned
>>>
>>> not long ago glibc was affactd by such a case
>>>
>>>> The best part is - the library itself is mostly useless - but because of
>>>> packaging policy - if you want to use rpmfusion - you have to basically
>>>> build
>>>> lib-compat-like (Fedora way) libraries yourself - that's what I call
>>>> silly....
>>>
>>> no, rpmfusion just need to cope with rawhide changes and rebuild as
>>> Fedora does
>>>
>>
>> We are not solving here 'ideal' word where every one has tons of free
>> time and could rebuild everything all day&night.
>
> don't tell me rpmfusion could not easily make that fully automated
>
>> This Fedora plan simply puts too much work at everyone's hands.
>>
>> Sure - people who care about safety might have some option - like  I
>> always want to have ONLY the latest lib - and drop everything else, but
>> there are still lot of users who could live with   older libs quite
>> happilly  (and especially in the case they do not use the library in
>> question AT ALL - which is the maint point here)
>
> you said "every one has tons of free time" - well - and who would maintain the
> dozen of versions of libraries packages?

You miss few important points:

1.)
If you have  lib.so.2  and lib.so.4 - it may need far more work then
just running  rpmbuild   - so far away from 'fully automated'.

2.)
What maintaining time are we talking about - since Fedora breaks working thing 
in the first place for no good reason and force massive maintenance time on 
every user of new library in 'short' time for some potential 'security' fixes 
- but you may on the other hand put in dozed of new security breaks anyway  - 
and when I see how frequently i.e. gtk  libs  may break whole distro -  it 
would be far more pleasant to see just couple broken apps at time - instead of 
rendering whole  rawhide unusable....

Zdenek

More information about the devel mailing list