At the last FPC meeting, we voted to update the bundled library guidelines:
+1: 6, 0: 0, -1: 0
This update adds rationale for the recent bundled library exceptions. It adds sections for the rationale used in those cases while continuing to make clear that an exception is granted on a case-by-case basis, not just from falling into one of the categories here. It adds some standard questions that every exception request should answer. And, importantly, it adds a requirement for packages bundling libraries to use a virtual provide to note what library they're bundling at what version. That makes it possible for a security team, maintainers of the bundled library, fesco, etc, to query for packages that are bundling a library should that library need to be updated.
+1 as long as the "Modified beyond a certain extent" category still requires FESCo approval. In the case of zsync there is just a single function added to their zlib and I'd like to avoid that packagers or reviewers claim this is "beyond a certain extent".
(Note: I won't be able to make it for the meeting tonight, so I vote here)
This ticket is made moot by ticket 460.
to comment on this ticket.