RFC: Soname in rpm name

Sean Middleditch elanthis at awesomeplay.com
Mon Jan 24 15:18:24 UTC 2005 

On Mon, 2005-01-24 at 10:02 -0500, Jeff Spaleta wrote:
> On Mon, 24 Jan 2005 09:15:14 -0500, Sean Middleditch
> <elanthis at awesomeplay.com> wrote:
> > We _have_ had this problem, btw.  The problem is that it's not generally
> > developers that notice it.  It's the user that just want to have their
> > machine work.  I go to install third party app Foo from Foo's web site,
> > it needs libbar.so.2, Fedora only has libbar.so.1, and many other apps
> > on the net require libbar.so.1.
> 
> A third part website is packaging libbar.so.2  in a package  of the
> same package name as Feodora's libbar.so.1?   Why would a third party
> site do that? Unless the intention was to replace the Fedora package? 
> Isn't this an example of the care 3rd party packagers should be taking
> to make sure their packages work well with Core?

Sure, they just make up their own package name.  Then FC4 comes along
and includes a package that provides the same library, but in a
different package name because there's no standard, and the user's
system breaks until they magically become experienced enough to fix it.

> 
> And I might add.. that while users and admins.. might want to install
> many other apps from anywhere on the net that the find them... this is
> not necessarily advisable behavior.  You continue to cater to this

Because Fedora is going to provide every application that every user
could ever want with the latest version with the latest features such
that no user will ever, ever need anything not on the Fedora Core/Extras
CD, ever, under any circumstance, ever... right?

> sort of thing and you will end up with people install very old
> libraries that are no longer being maintained so that they can install
> very old applications that are no longer being maintained and could
> have unresolved but well understood security problems.  I'm really not
> sure its in anyones best interest to make it really drop-dead easy to
> install unmaintained software that might be expoitable simply because
> the package was created in 2000.

So, because a user might install an old app, you won't to make sure
users can't install any app...?

Hmm, the user might download an old app from source and install it!
Even an inexperienced user can follow a README or HOWTO.  I suggest that
FC4 disables all Internet access and does not ship with a compiler so
that users don't inadvertently install an insecure or buggy app.
Advanced users who are knowledgeable about security will still be able
to manually configure network access and find compiler binaries off the
'net, so this change won't reduce the usefulness of Fedora, but simply
protect users who don't know any better.  </sarcastic-extremism>  ;-)

> 
> -jef
>

More information about the fedora-devel-list mailing list