Bug#212085: Build-dependencies cannot be satisfied in unstable
On Tue, Sep 23, 2003 at 08:53:32AM +0200, Matthias Klose wrote:
> Matt Zimmerman writes:
> > It is a problem for us to ship binary packages that we cannot build.
>
> We did it before shipping unbuildable libstdc++ packages (built from
> egcs-1.x), and I assume we are able to find other examples. we still
> can build it from source on a (current) stable system.
Yes, we've also shipped kernels without their source code, but this is a
license violation and we should stop doing it.
> > What happens if we needed to do an urgent update on this package (e.g.,
> > security)? Or if a user needs to patch and rebuild it?
>
> show me even one security update for a gcc package in the last years. give
> me a reason why a user should rebuild a runtime library.
>
> I don't argue that your reasons are invalid, but they are unlikely enough
> that it's worth to consider keeping the package in sarge.
This particular library has a clean security record, but frankly I don't
know whether that's just because no one has prodded it much. I'll grant
that it's unlikely that something would turn up that we needed to urgently
fix.
However, there are plenty of good reasons for a user rebuilding a runtime
library; I've certainly done it on many occasions. For example, rebuilding
libpthread with a larger PTHREAD_THREADS_MAX and smaller STACK_SIZE.
But if we can't do it, we can't do it, and it's certainly valuable to have
the runtime library in sarge.
--
- mdz
Reply to: