does anyone else beside me think it's not OK to introduce new
dependencies without any explanation in package updates released
to stable Fedora branches?

Arguably, the current stable updates policy is against this
https://fedoraproject.org/wiki/Updates_Policy#Stable_Releases :
[...] Updates should aim to fix bugs, and not introduce features, [...]

This is happening regularly and FESCo mostly ignored the
issue when I raised it (https://pagure.io/fesco/issue/1682).

Sadly, this is still happening, and the reason for this particular
e-mail is the httpd update httpd-2.4.33-2:

It was pushed as a security update, but nowhere does it say why
mod_brotli is now enabled and that brotli is a new dependency.

https://www.apache.org/dist/httpd/CHANGES_2.4.33 doesn't say anything
about brotli, either. It was actually added (upstream) in 2.4.26:
Changes with Apache 2.4.26
  *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
     [Evgeny Kotkov]
but Fedora maintainer waited until 2.4.29 to enable it:
and gave no explanation for doing it.

I filed a bug: https://bugzilla.redhat.com/show_bug.cgi?id=1564699
but the maintainer refused to even comment on the merits and closed
it without any reasonable explanation. I find his response not

Is this a legitimate issue or am I making storm in a teacup here?
Ever-increasing package sizes and dependency bloat do seem to be
a popular topic these days.

Fedora   https://getfedora.org  |  RPMFusion   http://rpmfusion.org
There should be a science of discontent. People need hard times and
oppression to develop psychic muscles.
        -- from "Collected Sayings of Muad'Dib" by the Princess Irulan
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to