[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RFC: Soname in rpm name



On Mon, 2005-01-24 at 14:57 -0500, Jeff Spaleta wrote:
> Let them use windows... i have no problem with people choosing to use
> insecure technology.
> But i do have a problem setting up this project in a way that makes it
> "very simple" to run old, unmaintained, vulnerable  libraries by
> inexperienced users of Fedora.   You can do some pretty flexible

You're not going to stop anyone from installing old libraries; you're
just stopping people from running modern applications that depend on
last week's libraries.  A user's system basically becomes impossible to
upgrade and impossible to install new software on until the entire Open
Source world recompiles all their packages for the new library.  If two
libraries could be installed at once the user wouldn't be trapped during
the transition - they could just get on with life as normal.

> be a package they find on the net in an old ftp.  And i definitely
> want to encourage package builders to rebuild against libraries that
> are being maintained.

Is Fedora supposed to be an exercise in speedy RPM rebuilding, or an
operating system?

> 
> > 
> > The best solution is for libraries to not break backwards compatibility
> > every other week, that way security fixes are magically present even for 5
> > year old apps.
> 
> This is orthogonal to packaging issues... and frankly... not something
> a distributor of libraries can dictate to each upstream project.

> Please take your crusade to each and every component project so no
> package distributor will ever have to deal with these questions.

Oh, but they will, eventually.  Looks like Fedora added a gtk2 package
instead of just updating the gtk package to the 2.x series.  You guys
did great with gtk, so what's the problem with other packages?  gtk1 is
completely unmaintained and not only installed on many users machines,
but even shipped with Fedora.  ;-)

Unfortunately, Fedora seems to be moving towards relying on huge massive
centralization of software packages to resolve broken packaging and lazy
development.

If it isn't shipped with Fedora Core/Extras, users aren't allowed to use
it?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]