https://bugzilla.redhat.com/show_bug.cgi?id=2415364
--- Comment #2 from Rodolfo Olivieri <[email protected]> --- (In reply to Ben Beasley from comment #1) > https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/ > #_vendored_dependencies > > “In general, packages SHOULD NOT use bundled crate dependencies, whenever > possible. > > “Whenever vendored / bundled crate dependencies are used (no matter which > mechanism is used for the purpose), all bundled crate dependencies MUST be > declared with virtual Provides in the format Provides: > bundled(crate($crate)) = $version in the subpackage that contains the Rust > component. For example, these virtual Provides are used to determine the > impact of security vulnerabilities on packages that use vendored Rust > dependencies. > > “Building exclusively from vendored dependencies by using a tarball that was > generated by running cargo vendor SHOULD only be a last resort. […]” > > Is there a concrete technical reason for using vendored dependencies here? I > know that RHEL vendors Rust dependencies as a matter of course, but this is > Fedora. :-) > > I also see a lot of “CC0-1.0” in the license expression, which needs close > investigation to make sure it’s for content and not for code (with very > limited exceptions, > https://gitlab.com/fedora/legal/fedora-license-data/-/blob/ > 56aeba99ba1b551e82b359bde277d1c51cc26e13/data/CC0-1.0.toml#L11-L26), > particularly because the vendored dependency bundle may be bringing in > things that have never been packaged in Fedora before. Hi, Ben! I will double-check the vendored dependencies, that was a mistake on my part, sorry. I definitely think there are a couple of those that are indeed present in Fedora. Regarding the CC0-1.0 license, I will check as well. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2415364 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202415364%23c2 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
