Because of:
https://bugzilla.redhat.com/show_bug.cgi?id=883790
I noticed that mediatomb bundled an old version of libupnp. After much wrestling, I got media tomb to build and run. However, I forgot to test it, and was informed that mediatomb was now pretty badly broken. Upon examination of the CVE patch and the bundled libupnp in mediatomb, I discovered that the version in mediatomb, 0.4.1, is not affected, the earliest affected version being 1.2.1.
Questions:
Has the library behaviour been modified? If so, how has it been modified? If the library has been modified in ways that change the API or behaviour then there may be a case for copying. Note that fixing bugs is not grounds to copy. If the library has not been modified (ie: it can be used verbatim in the distro) there's little chance of an exception.
No.
Why haven't the changes been pushed to the upstream library? If no attempt has been made to push the changes upstream, we shouldn't be supporting people forking out of laziness.
See above. I requested that upstream update to the latest libupnp.
https://sourceforge.net/tracker/?func=detail&aid=3608473&group_id=129766&atid=715780
Have the changes been proposed to the Fedora package maintainer for the library? In some cases it may make sense for our package to take the changes despite upstream not taking them (for instance, if upstream for the library is dead).
See above.
Could we make the forked version the canonical version within Fedora? For instance, if upstream for the library is dead, is the package we're working on that bundles willing to make their fork a library that others can link against?
Like a compat-libupnp. I suppose, but that's not ideal.
Are the changes useful to consumers other than the bundling application? If so why aren't we proposing that the library be released as a fork of the upstream library?
Is upstream keeping the base library updated or are they continuously one or more versions behind the latest upstream release?
Continuously behind, see above.
What is the attitude of upstream towards bundling? (Are they eager to remove the bundled version? are they engaged with the upstream for the library? Do they have a history of bundling? Are they argumentative?)
Awaiting response.
Overview of the security ramifications of bundling Does the maintainer of the Fedora package of the library being bundled have any comments about this?
None so far.
Is there a plan for unbundling the library at a later time? Include things like what features would need to be added to the upstream library, a timeline for when those features would be merged, how we're helping to meet those goals, etc.
Please include any relevant documentation -- mailing list links, bug reports for upstream or the bundled library, etc.
Upstream has responded, see referenced bug.
Exception for mediatomb to include its fork of libupnp is granted (+1:5, 0:0, -1:1)
Provides: bundled(libupnp)
Thanks!
Metadata Update from @spot: - Issue assigned to spot
Login to comment on this ticket.