On 1/21/25 7:09 AM, Fabio Valentini wrote:
But rebuilds can be automated. Generating patches for vendored
dependencies may be possible to some extent (but of course the vendored
package variants could have diverging versions). And then you have to
integrate the patch somehow so that it is applied during %prep. This
can be tricky to automate due to the varying preferences of package
maintainers.
Yes, that's exactly the point I wanted to make.
Workflow with non-vendored dependencies:
- update library or backport fix
- submit rebuilds of dependent applications (with rpmautospec, those
are no-change commits)
Workflow with vendored dependencies:
- check out application and vendored sources
- patch vendored sources
- repeat checkout / patching for*every affected application*
go-vendor-tools has an automated mechanism to handle security updates
without needing to generate patches or edit the specfile (other than
bumping Release/%changelog if rpmautospec isn't used) [1]. We could
write a script to automatically checkout each package, use
go-vendor-tools to regenerate the vendor archive with the updated
dependency, and file PRs.
[1]
https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#security-updates
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
