This is a duplicate of https://pagure.io/fesco/issue/1734 that was decided in today's FESCo meeting should be escalated to FPC
It was recently brought to my attention in a package review that there are many packages available in Fedora right now that are violating the Package Guidelines for Bundled Libraries by not specifying a version. This breaks the ability to properly audit this bundled source code. I would like to know how FESCo would like to proceed to resolve this.
The link above is broken due to an issue down in python-markdown; the proper link is: https://fedoraproject.org/wiki/Bundled_Libraries
Please note That page isn't part of the packaging guidelines. When FESCo decided to remove the bundling restrictions from the guidelines they were replaced by that policy page which is not maintained by the packaging committee.
So, uh, I guess we can discuss it at the meeting on Wednesday and see if we have any suggestions that don't come up in community discussion.
Metadata Update from @tibbs: - Issue tagged with: meeting
To clarify, what remains in the guidelines is what FESCo instructed the packaging committee to insert into the guidelines: https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries
It was never really made clear whether FPC was free to modify those as necessary or if FESCo would tell us when the text needed to be maintained. I personally believed that FPC just stayed away from the issue, because we rather stridently disagreed with the decision but attempting any change which would reintroduce any kind of restriction would have been unproductive.
So, since we didn't manage quorum today, I'll try to type up my opinion here.
Provides: bundled(name) = version
name
version
Edit: Of course I started typing that on Wednesday but only just now hit the submit button. I'm really bad about that for some reason.
We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-3/2017-07-26/fpc.2017-07-26-17.00.txt):
The promised proposal, here because I don't have time to wrestle with the wiki right now. In https://fedoraproject.org/wiki/ Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries, replace the third and final paragraph with the following.
Notes:
The last paragraph is unchanged the original text; it feels odd to me but I haven't tried to change it.
The first two paragraphs in the original text are kind of odd as well. For example, the text doesn't permit bundling of modified versions of things if the package is able to build against system versions. I haven't tried to fix this here.
All packages whose upstreams have no mechanism to build against system libraries MAY opt to carry bundled libraries, but if they do, they MUST include an indication of what they bundle. This provides a mechanism for locating libraries with bundled code which can, for example, assist in locating packages which may have particular security vulnerabilities.
To indicate an instance of bundling, first determine the name and version of the bundled library:
If the bundled package also exists separately in the distribution, use the name of that package. Otherwise consult the naming guidelines (link) to determine an appropriate name for the library as if it were entering the distribution as a separate package.
Use the versioning guidelines (link) to determine an appropriate version for the library, if possible. If the library has been forked from an upstream, use the upstream version that was most recently merged in or rebased onto, or the version the original library carried at the time of the fork.
Then at an appropriate place in your spec, add Provides: bundled(<libname>) = <version> where <libname> and <version> are the name and version you determined above. If it was not possible to determine a version, use Provides: bundled(<libname>) instead.
Provides: bundled(<libname>) = <version>
<libname>
<version>
Provides: bundled(<libname>)
In addition to inducating bundling in this manner, packages whose upstreams have no mechanism to build against system libraries must be contacted publicly about a path to supporting system libraries. If upstream refuses, this must be recorded in the spec file, either in comments placed adjacent to the Provides: above, or in an additional file checked into the SCM and referenced by a comment placed adjacent to the Provides: above.
+1 from me.
The promised proposal, here because I don't have time to wrestle with the wiki right now. In https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries , replace the third and final paragraph with the following. Notes: The last paragraph is unchanged the original text; it feels odd to me but I haven't tried to change it. The first two paragraphs in the original text are kind of odd as well. For example, the text doesn't permit bundling of modified versions of things if the package is able to build against system versions. I haven't tried to fix this here.
The promised proposal, here because I don't have time to wrestle with the wiki right now. In https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries , replace the third and final paragraph with the following. Notes:
That should stay, in my opinion. Any modifications should be submitted upstream.
Proposal [...] In addition to inducating bundling in this manner, packages whose upstreams have
Typo: indicating.
The rest looks good to me, +1.
It should probably mention that some libraries (hello, gnulib) don't have version numbers by design. (I use the word "design" advisedly since it's a poor design decision, but that's what gnulib does).
We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2017-08-17/fpc.2017-08-17-16.00.txt):
Metadata Update from @james: - Issue untagged with: meeting - Issue tagged with: writeup
Announcement text:
The section on bundled libraries was expanded with more explicit instructions on constructing the Provides: line which indicates the bundling.
Metadata Update from @tibbs: - Issue untagged with: writeup - Issue tagged with: announce
Metadata Update from @tibbs: - Issue untagged with: announce - Issue close_status updated to: accepted - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.