Bug 416667

Summary:	Ebuilds should have method (variable) to record bundled libraries
Product:	Gentoo Hosted Projects	Reporter:	Samuli Suominen (RETIRED) <ssuominen>
Component:	PMS/EAPI	Assignee:	PMS/EAPI <pms>
Status:	CONFIRMED ---
Severity:	enhancement	CC:	dev-portage, esigra, kripton, qa, sam, security
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Requirement_if_you_bundle
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	251464

Description Samuli Suominen (RETIRED) gentoo-dev

2012-05-19 20:07:41 UTC

Fedora (RPM) has this thing called "Provides: bundled(library_name) = version" that can be added when the maintainer knows the package is bundling a library.[1]

There are situations where the bundled libraries are modified, or are hard to unbundle and the maintainer wants to do it later. Or sometimes it simply makes sense to use bundled libraries like sys-devel/gcc is doing with libffi for gcj.

I propose we add an entry like, for example:

DEPEND_BUNDLED="=dev-libs/libffi-3.0.10"

This would allow tools, or Package Manager itself to tell the security@ and qa@ teams immediately which packages bundle what when a security bug is reported.

Tracking these only by bugzilla[2] is not convinient and things go to /dev/null accidentally very easily.

[1] http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Requirement_if_you_bundle

[2] http://bugs.gentoo.org/251464