Re: What to do when DD considers policy to be optional? [kubernetes]
On Tue, Mar 24, 2020 at 1:47 AM Sean Whitton wrote:
> Specifically, as README.Debian states, the vendor/ subdirectory of the
> source package contains more than two hundred Go libraries.
There are a *lot* of embedded code/data copies in Debian already.
While it would be nice to remove them, sometimes it isn't possible.
Often the copies are forked, or upstream refuses to remove them,
sometimes even though they forgot why they were added in the first
place. In addition the developer culture in various communities
encourages embedded copies. I think the best action we can do is send
patches to upstream projects to switch from vendoring to using the
native dependency system of the package manager for the related
language community. ISTR reading that Go has one of those now. Where
language communities don't have a native package manager, we need to
invent one for them. Then we can use things like dh-make-perl to
package the dependencies for Debian. I have no data but I think this
approach is more likely to have success than ranting about embedded
copies, tempting though that is. Apart from trying to discourage their
use, unfortunately embedded copies are here and they will never go
away and we need to accept that fact and to deal with the
consequences; for example to ensure that all copies get fixed for
security issues, try to get them updated upstream after important
bug/performance fixes and so on.
https://wiki.debian.org/EmbeddedCodeCopies
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
https://wiki.debian.org/AutomaticPackagingTools
--
bye,
pabs
https://wiki.debian.org/PaulWise
Reply to: