1. 17
  1. 6

    Thanks for the interesting write-up.

    At the end, you mentioned:

    I where unable to locate the Fedora package which is suppose to exist somewhere.

    I think some want to get it into the system repositories but it’s not currently there. This COPR seems to be the most popular and it appears that the current build is broken.

    Reading the spec file for LXD there, it looks like they’re using the bundled() macro to mark the vendored library versions as being “virtually” provided. That is an attempt to let automated security tools audit the dependencies during scans without advertising the provided libraries as suitable for any other package to use.

    I think Fedora started using the term “bundled” before the term “vendored” became so common. Here’s their documentation on the concerns and how they advise packagers to handle them.

    1. 2

      Ohh, interesting. Thanks!

      I tried looking at the linuxcontainers.org page but that link is currently dead and I didn’t find anything else on there with “lxd” in it’s name.