On 10.12.2012 11:08, Vincent Cheng wrote: > Well, I'm not thrilled at the prospect of using an embedded copy of > irrlicht in stk either. However, Policy 4.13 doesn't explicitly forbid > doing so (should != must), and hence why the security team has a list > of embedded code copies [1]. Upstream has indicated that at some point > in the future, their modifications to their embedded copy of irrlicht > is going to be extensive enough to break the API. If you've got any > other options I haven't considered yet, I'm all ears. :) Reading through the two bug reports you have mentioned, the following options are on the table IMO. 1. Releasing version X of STK with version Y of irrlicht and applying changes which were made upstream to STK via a patch. I think this is mainly a documentation issue and upstream should take care of it. 2. Replace irrlicht in Debian with the STK version. Seems to be no problem at the moment because only a few packages depend on it but would become an issue in the future if we include more games which depend on the official irrlicht version. 3. Use the embedded copy of irrlicht and report the issue to the security team and track everything security related to STK and irrlicht carefully. Personally i would go for 1 because that's the responsibility of upstream and is not your fault. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature