[Bug 907464] cpanm bundle lots of library and is not listed on fesco page

bugzilla at redhat.com bugzilla at redhat.com
Mon Feb 4 16:28:22 UTC 2013 

Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=907464

Michael Scherer <misc at zarb.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |ASSIGNED
         Resolution|NOTABUG                     |---
           Keywords|                            |Reopened

--- Comment #2 from Michael Scherer <misc at zarb.org> ---
Yes, I have read the source code, and I am aware of the reason on why cpanm do
it ( hence the "While the way cpanm work kinda mandate it" part in my first
comment ).

But as I said, I think this should be tracked somewhere. I have seen how the
code is bundled and I know this would be quite hard to unbundle, but I am not
FPC, so in the end, it is up to them to decide, not to me, hence the request to
see with them. If I was the one to decide, I would grant a exception, provided
we can find what is bundled, so if any security issue arise, we can quickly see
this should be fixed in cpanm too.

For example there is a bundle of JSON::PP or HTTP::Tiny, and I picking these 2
because they are either consuming untrusted input or network stuff, so could in
theory be problematic. 

And in all case, the packaging guidelines are quite clear on what to do if
there if there is a bundle :
https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Requirement_if_you_bundle

This include adding a link to the ticket for the exception. And while the
ticket look like bureaucracy ( since I think the exception would be granted ),
I think only FPC can edit the wiki page with bundled exceptions list, and that
would be used as a reference source, and so must be up to date.

The fact that only part of the code is copied doesn't make it less a
problematic copy from a tracking point of view.

So yes, i think something should be done, and the current process and
documentation requires some group to do it, and that's FPC as you correctly
said.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=tq7AaveoRE&a=cc_unsubscribe

More information about the perl-devel mailing list