#696 Many packages are not following the Guidelines for bundled libraries
Closed: accepted 2 years ago Opened 2 years ago by maxamillion.

This is a duplicate of https://pagure.io/fesco/issue/1734 that was decided in today's FESCo meeting should be escalated to FPC

It was recently brought to my attention in a package review that there are many packages available in Fedora right now that are violating the Package Guidelines for Bundled Libraries by not specifying a version. This breaks the ability to properly audit this bundled source code. I would like to know how FESCo would like to proceed to resolve this.


The link above is broken due to an issue down in python-markdown; the proper link is: https://fedoraproject.org/wiki/Bundled_Libraries

Please note That page isn't part of the packaging guidelines. When FESCo decided to remove the bundling restrictions from the guidelines they were replaced by that policy page which is not maintained by the packaging committee.

So, uh, I guess we can discuss it at the meeting on Wednesday and see if we have any suggestions that don't come up in community discussion.

Metadata Update from @tibbs:
- Issue tagged with: meeting

2 years ago

To clarify, what remains in the guidelines is what FESCo instructed the packaging committee to insert into the guidelines: https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries

It was never really made clear whether FPC was free to modify those as necessary or if FESCo would tell us when the text needed to be maintained. I personally believed that FPC just stayed away from the issue, because we rather stridently disagreed with the decision but attempting any change which would reintroduce any kind of restriction would have been unproductive.

So, since we didn't manage quorum today, I'll try to type up my opinion here.

  • I believe that bundling is bad in general and that if there's going to be bundling (which is no longer something this committee gets to decide) it must be made as explicit as possible.
  • I think the Provides: bundled(name) = version notation is a great way to indicate that. It's relatively easy to query and communicates a reasonable amount of information.
  • I understand that deciding on name and version can be difficult. If the bundled code is already packaged in the distribution in some other form then both are pretty easy. If not, then we should simply suggest that packagers follow our naming and versioning guidelines for determining name and version as if the bundled software was entering the distribution as separately-packaged software.
  • I'd prefer that bundling be indicated even if a version can't be specified, or if the packager has to guess at a name. Including information that allows us to easy find packages which are bundling something is better than no information at all.

Edit: Of course I started typing that on Wednesday but only just now hit the submit button. I'm really bad about that for some reason.

We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-3/2017-07-26/fpc.2017-07-26-17.00.txt):

The promised proposal, here because I don't have time to wrestle with the wiki
right now. In https://fedoraproject.org/wiki/
Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries, replace the
third and final paragraph with the following.

Notes:

  • The last paragraph is unchanged the original text; it feels odd to me but I
    haven't tried to change it.

  • The first two paragraphs in the original text are kind of odd as well. For
    example, the text doesn't permit bundling of modified versions of things if the
    package is able to build against system versions. I haven't tried to fix this
    here.

Proposal

All packages whose upstreams have no mechanism to build against system libraries
MAY opt to carry bundled libraries, but if they do, they MUST include an
indication of what they bundle. This provides a mechanism for locating
libraries with bundled code which can, for example, assist in locating packages
which may have particular security vulnerabilities.

To indicate an instance of bundling, first determine the name and version of the
bundled library:

  • If the bundled package also exists separately
    in the distribution, use the name of that package. Otherwise consult the
    naming guidelines (link) to determine an appropriate name for the library as if
    it were entering the distribution as a separate package.

  • Use the versioning guidelines (link) to determine an appropriate version for
    the library, if possible. If the library has been forked from an upstream, use
    the upstream version that was most recently merged in or rebased onto, or the
    version the original library carried at the time of the fork.

Then at an appropriate place in your spec, add Provides: bundled(<libname>) = <version> where <libname> and <version> are the name and version you
determined above. If it was not possible to determine a version, use Provides: bundled(<libname>) instead.

In addition to inducating bundling in this manner, packages whose upstreams have
no mechanism to build against system libraries must be contacted publicly about
a path to supporting system libraries. If upstream refuses, this must be
recorded in the spec file, either in comments placed adjacent to the Provides:
above, or in an additional file checked into the SCM and referenced by a comment
placed adjacent to the Provides: above.

The promised proposal, here because I don't have time to wrestle with the wiki
right now. In
https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries ,
replace the third and final paragraph with the following.
Notes:

The last paragraph is unchanged the original text; it feels odd to me but I
haven't tried to change it.

The first two paragraphs in the original text are kind of odd as well. For
example, the text doesn't permit bundling of modified versions of things if the
package is able to build against system versions. I haven't tried to fix this
here.

That should stay, in my opinion. Any modifications should be submitted upstream.

Proposal
[...]
In addition to inducating bundling in this manner, packages whose upstreams have

Typo: indicating.

The rest looks good to me, +1.

It should probably mention that some libraries (hello, gnulib) don't have version numbers by design. (I use the word "design" advisedly since it's a poor design decision, but that's what gnulib does).

We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2017-08-17/fpc.2017-08-17-16.00.txt):

  • x696 Packages not following the Guidelines for bundled libraries
    (geppetto, 16:28:45)
  • ACTION: Update for Guidelines on bundled libs. (+1:5, 0:0, -1:0)
    (geppetto, 16:34:25)

Metadata Update from @james:
- Issue untagged with: meeting
- Issue tagged with: writeup

2 years ago

Announcement text:

The section on bundled libraries was expanded with more explicit instructions on constructing the Provides: line which indicates the bundling.

Metadata Update from @tibbs:
- Issue untagged with: writeup
- Issue tagged with: announce

2 years ago

Metadata Update from @tibbs:
- Issue untagged with: announce
- Issue close_status updated to: accepted
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata