https://bugzilla.redhat.com/show_bug.cgi?id=2415364
Ben Beasley <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Ben Beasley <[email protected]> --- https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_vendored_dependencies “In general, packages SHOULD NOT use bundled crate dependencies, whenever possible. “Whenever vendored / bundled crate dependencies are used (no matter which mechanism is used for the purpose), all bundled crate dependencies MUST be declared with virtual Provides in the format Provides: bundled(crate($crate)) = $version in the subpackage that contains the Rust component. For example, these virtual Provides are used to determine the impact of security vulnerabilities on packages that use vendored Rust dependencies. “Building exclusively from vendored dependencies by using a tarball that was generated by running cargo vendor SHOULD only be a last resort. […]” Is there a concrete technical reason for using vendored dependencies here? I know that RHEL vendors Rust dependencies as a matter of course, but this is Fedora. :-) I also see a lot of “CC0-1.0” in the license expression, which needs close investigation to make sure it’s for content and not for code (with very limited exceptions, https://gitlab.com/fedora/legal/fedora-license-data/-/blob/56aeba99ba1b551e82b359bde277d1c51cc26e13/data/CC0-1.0.toml#L11-L26), particularly because the vendored dependency bundle may be bringing in things that have never been packaged in Fedora before. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2415364 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202415364%23c1 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
