radical suggestion for fc4 release

Jeff Spaleta jspaleta at gmail.com
Tue Feb 1 16:21:12 UTC 2005

On Tue, 1 Feb 2005 16:12:14 +0000 (GMT), Mark J Cox <mjc at redhat.com> wrote:
> Right now to determine if a particular issue is fixed you need to search
> the changelog, and if nothing is mentioned, unpack the SRPM, then look in
> each of the patches to see if the CVE name is mentioned, and if not if the
> patches included vaugely matches the patch for the issue.  We do this in
> our pre-release audit - packages are horribly inconsistant.

I'm not sure how turning this into a provides garuntees consistency.
It still comes down whether or not a packager sticks the provides in
manually.. not much different than sticking in a note in the
changelog. Either one is easily forgotten by a packager.  Bugzilla is
riddled with bugs about missing provides and requires that are
manually created by the packager. I don't see how moving it out of the
changelog creates a consistency win.

But please consider that by encoding this information into a provides
you are polluting the provides namespace that depsolvers are using
with information that you have no intention of using like a
dependancy. This will lead to unexpected problems.. when 'some'
packagers get the bright idea to actually do a dependancy on this,
that depsolves will have to negotiated.  Maybe if the intent of the
provides doesn't include using it as part of depsolving.. maybe this
is the wrong place to encode this information.


More information about the fedora-devel-list mailing list