On Wed, Jan 7, 2015 at 7:39 PM, Adam Williamson <adamwill@fedoraproject.org> wrote:

On Tue, 2014-08-19 at 15:19 +0400, Pavel Alexeev wrote:> Sorry for the old thread.
> But it is very interesting question to clearly determine "bundled
> library" to which returning happened again and again.
> Does it hang again now or something indeed changed?

Yeah, I'm still interested in other people's thoughts on this, I
rather expected it to get more traction when first posted. I guess
I'll try one more bump (this one) and if still no-one bites, we can
file an FPC ticket, perhaps.

I don't think it's possible to get a perfectly blank-and-white definition of what constitutes a bundled library. Of course there's always the obvious cases where a project copies one in to their source tree more-or-less verbatim.

That being said I think one thing that helps make it more clear is to look at the guidelines in reverse, meaning why don't we allow/like bundled libraries? Overall the primary drivers from the wiki page seems to be security, so when dealing with the "grey area" perhaps looking at things from a security perspective may help.

In the specific case I ran into one of the package suites I've been working on technically bundles a modified copy of xmlrpcpp. However, it is quite modified, upstream is dead, it's not already in Fedora, and the author I'm working with only uses it for communication between his suite of programs and has no intention of offering it as a separate library.

So again, from a security point of view:
- It's not in Fedora so there's no code/library duplication
- Upstream is dead so there's no one to send the code to upstream
- It's not going to get used by another package in Fedora because it's not offered as a separate library.

The final determination during the review was that it was far enough into the grey area to not be considered a bundled library and practically that makes sense when you think about the requirement to add a virtual provide to the package, in my case there's no upstream "name" to use due to the amount of modification nor a specific version I could tie it to.

Don't know if this helps any with the discussion but just sharing my experience dealing with package reviews.

Thanks,
Richard