Re: Q: Debian position on bundled libraries

To: Debian Development <debian-devel@lists.debian.org>
Subject: Re: Q: Debian position on bundled libraries
From: Paul Wise <pabs@debian.org>
Date: Thu, 23 Aug 2018 15:26:51 +0800
Message-id: <[🔎] CAKTje6Gebsjr=Vi3LvP-DHDO_OHip5ZuEBPXO6aPnzhBgiTEUg@mail.gmail.com>
In-reply-to: <[🔎] 86b81c05-4d85-2c62-68b1-198fcf1f7d1b@gmail.com>
References: <[🔎] 86b81c05-4d85-2c62-68b1-198fcf1f7d1b@gmail.com>

On Thu, Aug 23, 2018 at 12:59 PM, Alec Leamas wrote:

> Here is some libraries to unbundle; this could certainly could be done,
> However, the core issue is a few libraries which cannot realistically be
> unbundled. One example is mygdal, a heavily patched subset of the gdal
> package.

gdal has had one security issue in the past and I wouldn't be
surprised if it had one in the future, since it is basically a
collection of file format parsers. As such I am not sure using a fork
of it is a good idea. It would be best to work with both upstreams to
resolve the delta.

https://security-tracker.debian.org/tracker/source-package/gdal

> So, before proceeding with this work I'd like to know how to handle a
> situation like this. Under what conditions (if any) is bundling actually OK?

Personally, I don't think it is ever acceptable.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Q: Debian position on bundled libraries
  - From: Alec Leamas <leamas.alec@gmail.com>

References:
- Q: Debian position on bundled libraries
  - From: Alec Leamas <leamas.alec@gmail.com>

Prev by Date: Re: Q: Debian position on bundled libraries
Next by Date: Bug#907016: ITP: python-zvmconnector -- z/VM cloud management library
Previous by thread: Re: Q: Debian position on bundled libraries
Next by thread: Re: Q: Debian position on bundled libraries
Index(es):
- Date
- Thread