[Fedora-packaging] How to package a patched older version of libvmime in Fedora best?

Robert Scheck robert at fedoraproject.org
Thu Apr 2 18:47:07 UTC 2009 

On Thu, 02 Apr 2009, Tom spot Callaway wrote:
> This is great until there is a security issue or a bug fix that doesn't
> make into this copy.

Okay, as per our talk in IRC, I will use app-libvmime or libvmime-app as
package name and thus play with the -release possibility of libtool to get
libvmime soname changed.

[20:18:22] < rsc> spot: that's worse argumenting IMHO ;)
[20:18:39] < rsc> spot: if it's "officially" forked, same can happen
anyway.
[20:19:14] < spot> rsc: yes, but in those cases, upstream is usually making
other changes and there is less likelyhood of overlap in issues
[20:19:29] < spot> (it's also less obvious to l33t hax0rs)
[20:20:54] < rsc> spot: as upstream is focussed to rewriting code and API
from 0.x to 0.x+1, I guess, upstream less cares about current 0.x-2
[20:21:34] < rsc> spot: means, I'm in doubt regarding whether security
fixes (if there's one) really a) applies and b) is relevant at all.
[20:22:39] < spot> rsc: again, since it would be buried in a dependent
package, no one will know to look until it is too late.
[20:22:58] < spot> the correct answer is "port it to the current library"
[20:23:19] < spot> the slightly acceptable compromise answer is "rename the
library, make it standalone"
[20:23:46] < rsc> spot: and who will do that huge amount of work again and
again for every 0.x+1 release of upstream?
[20:24:21] < spot> coding is hard, lets go shopping.
[20:24:40] < rsc> spot: second thing means forking in other words, right?
[20:24:58] < spot> rsc: upstream forked the moment they decided to bundle a
patched library.
[20:25:12] < spot> you'd just be making a more managable, visible fork.
[20:25:29] < rsc> spot: "just", exactly.
[20:25:57] < rsc> spot: okay, that means, I better should simply go for
libvmime0.7.so.0.7.1?
[20:26:25] < spot> rsc: sure.
[20:26:39] < spot> rsc: as a separate package, preferrably.
[20:27:50] < rsc> spot: okay. Any suggestions how to %{name} the package?
libvmime07?
[20:28:22] < spot> well, given that it has specific patches for one app, i
might incorporate the name of that app
[20:28:34] < rsc> spot: okay, so app-libvmime?
[20:30:54] < spot> rsc: or libvmime-app
[20:32:03] < rsc> spot: any opinion which is better? AFAIK we not really
have a guideline for that. Personally I would tend to app-libvmime to make
visible where it belongs to. But I can life with both.
[20:32:26] < spot> i wouldn't lose sleep over either honestly.
[20:32:32] < spot> your call
[20:33:05] < rsc> okay, then I'll throw a dice, once I come to that.


Greetings,
  Robert

More information about the Fedora-packaging mailing list