https://bugzilla.redhat.com/show_bug.cgi?id=2295820
--- Comment #11 from Tom Rix <[email protected]> --- (In reply to Tim Flink from comment #6) > (In reply to Jeremy Newton from comment #3) > > So some more information from a ROCm developer, we were in a meeting that > > included Tom and me: > > > > The bundled tensile is a fork, and is expected to diverge from tensile (if > > it hasn't already) and become a replacement for tensile in rocm (other libs > > are supposed to eventually call rocblaslt). > > I'd rather just move forward, and we can drop tensile later if need be. > > Yeah, that's mostly what I had understood when I talked to trix about it. > > > > How do we handle the "bundled" tensile ... I don't think that it needs to > > > be added to the provides but I also don't know if there is anything > > > preventing this from happening > > > > A bundle is a bundle, you need to add it regardless. The provides is more of > > a flag. I believe the intention is if they a security issue or similar > > critical issue in the library, the maintainer can look for the provides to > > notify the other maintainer that there's a critical bug that needs fixing. > > This could also be a CVE, a license issue, a copyright issue, a legal issue, > > etc. Providing a version is pretty important too for tracking. > > > > E.g. say library A has a CVE and package B bundles A, then it's easy to > > query for "provides: A" to see what packages need updating, which would be A > > and B. > > Sure, bundled libs should be handled like bundled libs and there's a reason > that process exists but that's not my argument here. I don't think that the > Tensile in tensilelite _is_ a bundle in the sense that we care about for > packaging. > > As near as I can tell, this package never installs the forked, bundled > Tensile - it just installs it in a source dir subdirectory, adds that > subdirectory to PATH and PYTHONPATH before doing the actual hipblaslt build > where I think it's used to generate the platform-specific kernels. The > Fedora package doesn't even provide Tensile which is why I don't think it > needs to have a bundled provides in the spec. > > Even if there were a CVE in this bundled Tensile, it's never distributed in > a Fedora package - it just exists on builders for a short time before that > disk is reclaimed post-build. We can have a discussion about whether that's > a good practice or not but unless there's something I'm missing here, this > package in its current state isn't bundling Tensile. I will replace bundled: with a strongly worded comment :P -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2295820 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202295820%23c11 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
