Fedora Updates: whole packages vs patches

Jorge Fábregas fabregasj at prtc.net
Thu Dec 9 17:56:31 UTC 2004


Hello everyone,

This will be a "back to basics" question :) 

I've been thinking about the current Fedora update mechanism vs other distros.  
For example, SuSE provides bugfixes and security-updates through patches (via 
rpm of course).
 
Imagine there's a package called foo1.4-1.rpm (size 10 MB) and that somebody 
finds a serious security vulnerability in this program. The code responsible 
for this issue resides in just one library (foo.so).  

A couple of days later the issue is solved. The library interface hasn't 
changed. The compiled library is just 1k.

Possible solutions to distribute this:

1- create an rpm with just that file (thus...it will be a patch rpm). size 1K

2- package the whole application (including new compiled library) as 
foo1.4.-2.rpm which has a size of 10MB.

As you can see, on the 2nd option (Fedora's way), we're getting a 10MB package 
update for that 1K library replacement. Isn't that an overhead? Is it worth 
it? 
 
I personally like our current system. I think manegeability-wise is much 
better. On the other scenario, I'll have to look at an rpm version and 
release and also query the rpm database looking for patches (to see if 
there's a patch associated with my package). 

Comments are welcome! 

Thanks,
Jorge




More information about the fedora-list mailing list