Breaking API is not acceptable for EL*
This update is needed to fix a number of security issues which we don't have the manpower to backport fixes for (https://bugzilla.redhat.com/show_bug.cgi?id=1411860) and to address https://bugzilla.redhat.com/show_bug.cgi?id=1426035 The update keeps ABI compatibility, and as for any minor API changes, I maintain all of the dependent packages (python-pygit2, libgit2-glib, gitg) and will take care of them. Sorry, I know you hate RHEL and EPEL and want to see them fail and Fedora succeed, but blocking improvements that other people work on isn't the way to go here. Can you please also neuter your -1 karma in the Bodhi update that you clearly filed without even installing the update? Thanks. Closing as wontfix.
there's some good and bad here, let's start with the bad: the comment on reporter's character and motives. The good: I think as maintainer you did well to make an effort to actually provide a compatible ABI here. The approach used to achieve that is... questionable however, simply copying the same library from a previous build is probably not acceptable.
I was talking about API, not ABI.
Note that there is actually a policy for incompatible upgrades: https://fedoraproject.org/wiki/EPEL_incompatible_upgrades_policy At least more communication would be good here, and rebuilding/including all the packages that use libgtk2 in the collection in any update.
Regarding the last part, addressed in comment #1 : "I maintain all of the dependent packages (python-pygit2, libgit2-glib, gitg) and will take care of them."
But that doesn't include dependent packages of them, for example pagure which relies on pygit2
Right. pygit2 needs more testing: see bug https://bugzilla.redhat.com/show_bug.cgi?id=1426035 for discussion about that. The update that is being discussed here keeps full binary compatibility that is needed for old pygit2 and keeps it working exactly like it was before. At the same time this update also opens up the possibility to put a new pygit2 version in EPEL. Doing things step by step here to not break the whole world at a time.
I'm not a big fan of the way you are keeping binary compatibiity. I think it breaks https://fedoraproject.org/wiki/Packaging:Guidelines#No_inclusion_of_pre-built_binaries_or_libraries it also means all those things are still vulnerable, etc.
Plus if you just bump the release and rebuild, you will get the new soname versioned as 0.21 while I believe rebuilding the same spec file should lead to the same RPM.
Including built libgit2.so.21 from previous build 1) doesn't fix security issue 2) doesn't preserve API 3) violates policy of pre-build libraries to some degree
4) breaks building on the top of pygit2 https://koji.fedoraproject.org/koji/taskinfo?taskID=19587785
(In reply to Pierre-YvesChibon from comment #11) > 4) breaks building on the top of pygit2 > https://koji.fedoraproject.org/koji/taskinfo?taskID=19587785 Ok, seems this was un-related, so I guess point 4) doesn't apply :)
I've dropped the libgit2.so.21 ABI compatibility now, thanks everybody!
libgit2-0.24.6-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8c63ac9cba
libgit2-0.24.6-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.