* Gerd Hoffmann: >> We would also need to consider what our committement is to security >> updates when apps are bundling stuff, as the same reasons that make >> unbundling huard, also make fixing security issues hard. > > Note that in the go/rust world the unbundling does *not* make security > updates much easier. Due to the static linkling it is not enough to > update the buggy package. You have to rebuild packages depending on > the updated package too.
But rebuilds can be automated. Generating patches for vendored dependencies may be possible to some extent (but of course the vendored package variants could have diverging versions). And then you have to integrate the patch somehow so that it is applied during %prep. This can be tricky to automate due to the varying preferences of package maintainers. Thanks, Florian -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
