On Sun, Jul 9, 2017 at 5:36 PM, Kevin Kofler <kevin.kof...@chello.at> wrote: > Adam Miller wrote: >> In today's FESCo meeting we discussed the fact that there are many >> RPMs currently in Fedora (a reported 244 in Rawhide currently) that >> are defining a `Provides: bundled(<lib>) = <version>` but excluding >> the version completely[0][1]. This removes that ability to properly >> perform source code auditing and security vulnerability tracking. >> >> My question to the Fedora Contributor Community is, how should we >> handle this? Is this something that should just simply be fixed by the >> packages currently violating the Guidelines, should the Guidelines be >> altered in a way that makes this easier to deal with for Packagers but >> also provides what is needed for auditing and vulnerability tracking, >> or is there simply clarification needed by what is required in the >> <version> field? > > A version number may not even exist at all. Not all code that people copy is > a library with a version number. Copylibs often don't bother doing releases > because everyone just embeds it as a git submodule or checks out some random > revision to copy into their own SCM. Hence, it is not realistic to require a > version number.
So should we just stop requiring any RPMs be versioned since it's not realistic to require a version number? -AdamM > > Kevin Kofler > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
