On 11/06/2013 08:52 PM, Adam Jackson wrote:
Again: don't stop the solution short based on what the current code
happens to implement.
If we're building the bundles - and there's reasons we would want to -
then we know the patches we need to apply.
Despite significant efforts, we still have some trouble doing precisely
that in the current environment. Ensuring that critical changes are
applied to all relevant branches pretty much relies on individual
developer effort and attention.
From a birds-eye view, we perform bundling at the distribution level.
Carrying patches back and forth is not easy. We've been dealing with
this for a decade or more, yet supporting technology is still scarce.
This has little to do with RPM and its limitations because it's about
making sure that dist-git (both Fedora and further downstream) have the
required or best possible versions of the code base. At this stage, the
lack of multiple RPM database, multiple versions of the same package,
etc. does not come into play. There are some constraints due to the
processes involved, but everyone is free to use the data that is just
out there and start their own side project to tackle this problem. Yet
this hasn't happened. There have been some research efforts, but
nothing came out of that which actually had a chance of integration.
(Other distributions face the same challenge.)
That's why I'm fairly convinced that the delivery mechanism isn't
holding back a solution. It's just a very difficult problem, no matter
how you eventually ship your bits.
--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct