Alternative plan for packages with bundled libraries
-----BEGIN PGP SIGNED MESSAGE-----
I submitted this to the Advisory Board, but I'm including it here since
there's a lot of discussion ongoing about the nature of bundled
libraries in Fedora.
In the cases where removing libraries wouldn't be possible without
extensive upstream work, we should rewrite the rules around the use of
http://fedoraproject.org/wiki/Fedorapeople_Repos repositories to allow
such packages in an unofficial capacity. Right now, they require an
agreement that all packages being hosted meets with Fedora Packaging
Guidelines in full, but I suspect that the Board could consider reducing
this restriction to "In compliance with Fedora Legal guidelines"
instead. So we could at least have a central semi-official repository
where these packages could be made available to those who need them
(separate from Fedora and unsigned so those using them *know* they're
not official or fully-supported) while efforts are made to bring the
project into full compliance, at which time it should become an official
The benefits of this would be that contentious packages could still have
a definitive delivery mechanism in keeping with Fedora's style. While
the package itself wouldn't fit into the official yum repositories, it
could still keep a set of maintainers (who would hopefully be actively
working with upstream to resolve the bundling issues at the same time).
The specific use-case I'm trying to address with this proposal was
brought up by Jeroen van Meeuwen on the Advisory Board mailing list. A
package like rubygen-passenger, which enjoys heavy use in the real
world, but can't be carried in Fedora due to a forked, bundled version
of the Boost utility library, could be carried in this unofficial
repository. Right now (according to Jeroen), it's very common for
deployments relying on this package to just roll their own from the
- From Jeroen's original email:
"This means that meanwhile, thousands of us downstream consumers run
rubygem-passenger customly built, packaged (maybe) and deployed to
production, whatever was the latest version when someone had a chance to
look for updates.
Bad, bad, bad. Very bad."
I think we definitely want Fedora users to be able to use a common
package for their deployments, even if it's not signed and carried in
the official repository.
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/