[Bug 336874] Third Party Library Policy
Bugzilla Link | 336874 |
Status | NEW |
Importance | P3 normal |
Reported | Feb 10, 2011 15:54 EDT |
Modified | Aug 22, 2020 14:05 EDT |
Description
At today's architecture council meeting, I brought up the topic of implementing a third party library policy (based on some of Andrew Overholt's gripes). The main motivator of this is the pain we feel at Fedora as we tend to ship the latest version of a library and have had to patch Eclipse to use the latest library. eclipse.org projects, especially the SDK has historically not been good about moving to the latest version of libraries (e.g., Lucene).
There are many benefits in moving to the latest version of a library, from security fixes to new features. On the call, we discussed some potential downsides, from the time it takes to move to a new library via the Eclipse IP process to the testing of the actual new library. Another topic that came up was that Eclipse sometimes ends up in a situation where projects are using two different versions of a library and we are in a case where three projects are using three different versions of say log4j, instead of just the latest version.
There was some discussion by Wayne Beaton on how to implement a tool using iplog data that can notify projects if a newer version of a library is available in Orbit (or elsewhere) and they aren't using it. Another strategy could we make this part of the release review process, when you hand in your IP log, the IP team could do a quick check to see if there are newer versions of any of the libraries used... projects would have to justify their usage of the older library. Another strategy could be to make a strong requirement for the simultaneous release that you're on the latest version of a library available.
Those are my two cents.
So what are people's thoughts here?