Dne 17. 12. 19 v 21:57 David Cantrell napsal(a):
With regard to the recent protobuf package issue and the eclipse
module, I
started wondering how bugs work with packages bundled in modules.
That is,
packages that exist outside modules (e.g., protobuf) that end up
bundled with
some module.
NOTE: It is very easy for module posts to quickly balloon out in to
all sorts
of topics and stories. I would prefer that we keep this thread
related to the
Subject above. Thanks.
The following are policy questions I came up with after the protobuf
issue
happened:
1) Are modules allowed to bundle packages that are provided by and
currently
maintained in the base system? Are there are restrictions to what a
module
can bundle (e.g., can a module bundle glibc)?
2) Using protobuf as an example, if a bug is found by a user and they
happen
to deduce that the error is in protobuf, how do they file a bug? Do
they file
the bug against protobuf if the bundled one from the module has the
issue?
What maintainer is on the hook for handling that bug report? My
assumption
here is that the module maintainer is ultimately responsible for
everything
they bundle. Another concern I see here is we are opening ourselves
up for
N+1 different builds of protobuf where N is the number of modules
installed on
a system and all of them could have protobuf bundled.
3) If a user files a bug against a module and the module maintainer
triages
that to a bundled package, how is that handled? Who is maintaining the
bundled build of that package? Who is responsible for fixing it?
These are two very interesting points.
Just FTR, for Red Hat Software Collections, we are (ab)using "Version"
BZ field to track the SCL version (e.g. [1]), which in module
terminology resembles stream. Maybe we could reuse something similar for
modules in Fedora.
Also, it is interesting that AFAIK, we have not yet dealt with issue
like this (i.e. reporting issues against specific streams) for RHEL8 yet.
Vít
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1757842
4) How can users determine what packages are installed from a module
and how
can you see what, if any, module "owns" a package? I have been unable to
determine how to do this from dnf.
5) How are CVEs handled for packages that are also bundled with a module?
I have read as much as I can find about how things work right now with
modules, but that has been mostly the "how" and nothing around policy.
Thanks,