Re: RFC Generic Packaging for Languages that have vendor/ Trees

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: RFC Generic Packaging for Languages that have vendor/ Trees

Ludwig Nussel
Aleksa Sarai wrote:
> This is a proposal for having a generic packaging system of RPMs for
> languages that use "vendor/" trees. Please respond with any feedback you
> have on the details of this proposal.

Thanks Aleksa for driving this topic! It's be neglected for too long

> [...]
> And here we come to my proposal. The idea is to take what is already
> being done in these projects, and create better tooling around it to
> make the work of development, maintainence, security, and legal much
> easier.
> First, we need to provide more metadata about these vendor blobs in the
> RPM layer, so that security could at least *track* what versions of
> things are used by a project. And in the worst case, it should be
> possible to patch a vendor blob. This would likely best be done through
> RPM macros, by creating a virtual Provides for each of the vendored
> libraries. This matches what Fedora does for bundled libraries[1]. The
> Provides could be just as simple as
>      Provides: bundled(rust:nix) = 0.8.1

To the very least and as first step that method should be specified
in the packaging guidelines IMO. Mind writing a concrete proposal
just for that to the packaging list¹²?
Once approved actual implementations for various languages and
tooling can follow.



  (o_   Ludwig Nussel
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
Graham Norton, HRB 21284 (AG Nürnberg)
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]