There are multiple ways that we could consider relaxing the bundling guidelines. Collecting the ones that we've recently wanted to apply to a variety of situations here.
Active upstream Security Team
Another thing that might be viewed favorably by the FPC is if
- Project is actively developed and has a responsive upstream, with new
releases occuring at least yearly. Rationale: a) if a security issue does arise, we don't want to be left on our own; b) where projects have bundled code but are not fast-moving, the reward/work ratio of unbunding the code is higher.
AND
- Project has an active security response team of its own
and has demonstrated both the ability and the will to release timely security updates when issues are discovered in bundled code. Rationale: this reduces the burden on our security team, and does not put Fedora maintainers in the position of creating or carrying our own patches.
AND
- The upstream project is actively working on unbundling.
We'd also allow forks of such projects in.
Too Big to Fail
Although it is a case of last resort that FPC is extremely reluctant to allow, we occasionally consider whether a package is too popular to keep out of the distribution. FPC