Hi again,
On 14/11/2021 19:37, Kurt Jaeger wrote:
I agree. The problem is that this is very difficult to codify
into some policy.
I've done some digging. And actually, Fedora only needs a few words:
"All patches should have an upstream bug link or comment" [1]
This assures that packages stay close to their upstream projects.
Another rule could be
"Patches should only be applied to make the software run as intended by
its developer. All additional functionality should be integrated
upstream first or, if that's not possible or desirable, should be
developed as a separate project which can then be ported alongside the
first port."
Having rules for these situations means that tools can be created to
verify and enforce those rules.
Not having these rules is an invitation to people with malicious intent
to integrate backdoors, keyloggers, and what not into the ports. IMHO.
Rob
[1]
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_all_patches_should_have_an_upstream_bug_link_or_comment
--
https://www.librobert.net/
https://www.ohreally.nl/category/nerd-stuff/
