Re: RFC Generic Packaging for Languages that have vendor/ Trees
Aleksa Sarai wrote:
> This is a proposal for having a generic packaging system of RPMs for
> languages that use "vendor/" trees. Please respond with any feedback you
> have on the details of this proposal.
Thanks Aleksa for driving this topic! It's be neglected for too long
> And here we come to my proposal. The idea is to take what is already
> being done in these projects, and create better tooling around it to
> make the work of development, maintainence, security, and legal much
> First, we need to provide more metadata about these vendor blobs in the
> RPM layer, so that security could at least *track* what versions of
> things are used by a project. And in the worst case, it should be
> possible to patch a vendor blob. This would likely best be done through
> RPM macros, by creating a virtual Provides for each of the vendored
> libraries. This matches what Fedora does for bundled libraries. The
> Provides could be just as simple as
> Provides: bundled(rust:nix) = 0.8.1
To the very least and as first step that method should be specified
in the packaging guidelines IMO. Mind writing a concrete proposal
just for that to the packaging list¹²?
Once approved actual implementations for various languages and
tooling can follow.