Aleksa Sarai wrote:
This is a proposal for having a generic packaging system of RPMs for languages that use "vendor/" trees. Please respond with any feedback you have on the details of this proposal.
Thanks Aleksa for driving this topic! It's be neglected for too long already.
[...] And here we come to my proposal. The idea is to take what is already being done in these projects, and create better tooling around it to make the work of development, maintainence, security, and legal much easier.
First, we need to provide more metadata about these vendor blobs in the RPM layer, so that security could at least *track* what versions of things are used by a project. And in the worst case, it should be possible to patch a vendor blob. This would likely best be done through RPM macros, by creating a virtual Provides for each of the vendored libraries. This matches what Fedora does for bundled libraries[1]. The Provides could be just as simple as
Provides: bundled(rust:nix) = 0.8.1
To the very least and as first step that method should be specified in the packaging guidelines IMO. Mind writing a concrete proposal just for that to the packaging list¹²? Once approved actual implementations for various languages and tooling can follow. cu Ludwig [1] https://en.opensuse.org/openSUSE:Packaging_guidelines_change_process [2] https://en.opensuse.org/openSUSE:Packaging_guidelines -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org