RFC: Soname in rpm name

Mike Hearn mike at navi.cx
Tue Jan 25 23:06:57 UTC 2005


On Mon, 24 Jan 2005 14:57:57 -0500, Jeff Spaleta wrote:
> Yeah... i like AOL's new commercials about virus protection which
> speak to your point about Windows

I'll skip the "backwards compatibility == viruses" stuff as it really
isn't relevant here and doesn't stand up to close inspection anyway (hint:
is it useful to prevent people who rely on a particular program from
getting *any* security updates at all, because one breaks their program?
no other desktop OS vendor has said yes here).

> Let them use windows... i have no problem with people choosing to use
> insecure technology.
> But i do have a problem setting up this project in a way that makes it
> "very simple" to run old, unmaintained, vulnerable  libraries by
> inexperienced users of Fedora.   You can do some pretty flexible things
> on the commandline with rpm if you really want to do it and I'm not
> arguing that ability should be taken away. But i don't want encourage
> the general user base to use packaged libraries from old trees that are
> no longer being maintained just because it happens to be a package they
> find on the net in an old ftp.  And i definitely want to encourage
> package builders to rebuild against libraries that are being maintained.

Since when is this just about "rebuilding" stuff? Do you think apps are
magically ported to GTK+ 2 by running gcc on them? What about OpenSSL?

This is not simply a matter of running gcc or rebuilding packages. It's a
much deeper issue.

> This is orthogonal to packaging issues... 

Not in the slightest, it's fundamental to packaging issues.

> and frankly... not something a
> distributor of libraries can dictate to each upstream project. 

Why is Fedora including unstable libraries as discrete packages at all?
Why not just statically link them into the packages that need them?

Yes I'm aware of the disadvantages of static linking. Are you aware of the
disadvantages of dynamic linking?

> If this were debian... with debian timescales for the development and
> end-of-life... 5 years isnt that long. But this isn't debian.. and this
> project doesn't have those sorts of timescales... so with respect to
> FC's timetable 5 years is definitely a long time.

Outside of the Linux community (ie, in the *desktop world*) the current
rate of instability is simply unacceptable. Why do you think Red Hat make
money by selling what is essentially an old version of Fedora?

<sigh>

I don't know why I bother, really, Sean is quite right - the number of
ways people justify massive "platform" (haha) instability to themselves is
astonishing. I should keep a note of them all or something. This sort of
thing keeps coming up again and again because it causes users *pain*, and
each time it does people write it off as "not our problem", "unfixable",
"only proprietary software needs that" or "DO YOU HATE INNOVATION!?!" type
crap.

thanks -mike




More information about the fedora-devel-list mailing list