Re: percona-xtrabackup bundling the kitchen sink in static libs

[Otto Liljalaakso]

Paul Wouters kirjoitti 23.8.2022 klo 3.07:

Hi,

I looked at fixing percona-xtrabackup and noticed it is staticly linking
to a bunch of libraries. These .a files are then removed in %install so
they are not shipped. It bundles a bunch of this stuff from its extra/ dir:

duktape  googletest  icu  libcbor  libedit  libevent  libfido2  libkmip  
lz4  protobuf  rapidjson  robin-hood-hashing  zlib  zstd

On top of that, it pins boost to a specific (older!) version and bundles 
boost
seperate via dist-git / sources :(

The relevant policy is Bundled software policy [1]. Unlike in the past, 
a package does not need a FESCo exception to bundle dependencies. 
However, the requirements of that policy are not being met here: The 
reason for bundling should be recorded in the specfile, and Provides: 
bundled(x) = 1.2.3 should be included.

[1]: https://docs.fedoraproject.org/en-US/fesco/Bundled_Software_policy/

I've just fixed it up in the same bad way, making it link to the old
openssl just to get it past F35FailsToInstall for rhbz#1989019. It is
going through rawhide and the branches now. But I think perhaps this
package should be removed from rawhide.

This package clearly breaks a lot of packaging rules, so I was
wondering if there was ever any exception of some kind given to this
package? I will definitely look at $dayjob migrating away from this,
eg see if myhoard or mariabackup can be used instead.

Any feedback would be appreciated, as it seems the maintainer is MIA.

If the maintainer is not responding, you should invoke the 
Non-responsive maintainer policy [2]. This package has CVE bugs open 
[3], so most probably it should eith be retired, or somebody should 
start caring for it.

[2]: 
https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/
[3]: 
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&component=percona-xtrabackup&product=Fedora&product=Fedora%20EPEL
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue