Re: Finding rough consensus on level of vendoring for large upstreams

To: Phil Morrell <debian@emorrp1.name>
Cc: debian-devel <debian-devel@lists.debian.org>, 907051@bugs.debian.org
Subject: Re: Finding rough consensus on level of vendoring for large upstreams
From: Paul Wise <pabs@debian.org>
Date: Fri, 3 Sep 2021 03:23:56 +0000
Message-id: <[🔎] CAKTje6GaEB5ZXzwj+zGaLoEU1iQ46FSFzTzXuaekc4KQrED-4Q@mail.gmail.com>
In-reply-to: <[🔎] 20210902223835.GB2145@mithrandir.lan.emorrp1.name>
References: <[🔎] 20210902223835.GB2145@mithrandir.lan.emorrp1.name>

On Thu, Sep 2, 2021 at 10:39 PM Phil Morrell wrote:

> Over this last year there seems to have been a noticeable divergence of
> maintainer opinion, on what has become known as vendoring

Embedded copies of code/etc have downsides ...

https://wiki.debian.org/EmbeddedCopies

> It is my reading of the situation that not only has this practice become
> more prevalent across multiple ecosystems since 2008

... but there are many many copies in Debian and they are not going
away upstream.

> [security-tracker]: https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/embedded-code-copies

Side note: This file is very much outdated, new copies are introduced
all the time and old copies get removed. This has always been the case
and it always will be.

So we need to cope with the consequences of this change toward
embedding in the upstream FLOSS ecosystems.

Personally, my recommendations are that:

Debian package maintainers could investigate upstream tarballs for
embedded copies before each upload containing a new/changed upstream
tarball.

Debian package maintainers could talk to upstream about removing
embedded copies and replacing them with dependencies.

Debian package maintainers could talk to upstream about upstreaming
changes in modified embedded copies, removing the embedded copies and
replacing them with dependencies.

Debian package maintainers could use Files-Excluded or `rm -r` in
debian/rules to ensure that embedded copies are not used by the build.

Debian package maintainers could add hints to the source package about
which embedded copies are definitely used.

Debian security tracker could remove the perpetually outdated list of
embedded copies.

Debian security issue investigators could search the archive for
similar or duplicate code (using the tools listed on the above wiki
page), investigate the build logs for each package found and determine
which packages are affected. This is a lot of work, but given the
level of embedding we already have, it is already necessary.

Also, the issue of static linking is similar; it is here, it isn't
going away and so now we have to cope with it and the problems it
causes are similar to embedded copies.

https://wiki.debian.org/StaticLinking

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- Finding rough consensus on level of vendoring for large upstreams
  - From: Phil Morrell <debian@emorrp1.name>

Prev by Date: Re: Finding rough consensus on level of vendoring for large upstreams
Next by Date: Bug#993557: ITP: gnome-shell-extension-pop-shell -- keyboard-driven layer for GNOME with tiling window management
Previous by thread: Re: Bug#907051: Finding rough consensus on level of vendoring for large upstreams
Next by thread: Re: Finding rough consensus on level of vendoring for large upstreams
Index(es):
- Date
- Thread