[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do when DD considers policy to be optional? [kubernetes]

On Mar 24, Russ Allbery <rra@debian.org> wrote:

> (The Rust team is trying the package everything approach with some success
> but is uncovering other limitations in our processes and tools.)  But
"Some" success indeed. My personal experience with trying to package 
routinator has been awful, and there is still no actualy package in the 
archive after many months because it depends on a version of a library 
which is different from the version that we have in the archive, and 
there is nothing wrong with this in the Rust world.

The main reason for mostly forbidding vendored libraries has been that 
the security team rightly argues that in the event of a security issue 
it would be too much work to 1) hunt each package using a vendored 
library and 2) patch and rebuild all of them.
This does not really matter for Go and Rust software because 1) the list 
of (vendored) dependencies can be extracted automatically at build time 
and 2) all this software would have to be rebuilt anyway since these 
languages do not support or do not use dynamic linking.

Also, shared libraries save memory when multiple programs using them are 
run concurrently, but nowadays this kind of saving is rarely meaningful.

Because of these reasons maybe we should consider supporting vendored 
libraries in some cases.


Attachment: signature.asc
Description: PGP signature

Reply to: