On 14/02/15 01:45, Ken Dreyer wrote:
Here's the new policy that I would vote for:1) We allow bundled libraries, and each bundled library MUST have a virtual Provides: bundled(foo) in the RPM spec. (The packager SHOULD provide a version number too, with the admission that it is sometimes difficult to get this number correct.) 2) If another packager comes up with a patch to unbundle the library and files the patch in Bugzilla, then the package maintainer MUST take the patch. 3) If the package maintainer disagrees with the patch for whatever reason (maybe it's a feature regression, or whatever), they MUST bring it to the FPC for arbitration. The FPC must take into account the loss of functionality that unbundling could imply. This revised policy would lower the barrier to entry for newcomers, and still leave room for more advanced contributors to do the work if they desired to do so.
In the end, I guess this is a trade-off between doing the Right Thing from the overall security and distro maintenance perspective, and doing the Right Thing from the "follow the upstream" view.
My gut feeling is that this trade-off is differs in different communities. So, what happens if we discuss this from a language point of view?
What if we, as a a starter, applied such a policy to e. g., ruby packages? Expanding to other languages over time in a more controlled way?
Cheers! -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
