Bug#958250: Use system libjsonparser-dev
Le tiistaina 21. huhtikuuta 2020, 12.59.20 EEST Jonas Smedegaard a écrit :
> > > But anyway, is libjsonparser's upstream still active? No release
> > > since 2014 doesn't suggest that they are. If that is not the case
> > > and we end up with libjsonparser being maintained in Debian, this
> > > means that changing vlc to libjsonparser is not upstreamable. Due to
> > > the size and security history of vlc, I'd like to avoid that.
>
> A security bug in libjsonparser should be fixed for all consumers of
> that library, not only for VLC.
>
> If upstream project is dead, and VLC discovers and fixes a bug in the
> library, then that bugfix should be forwarded to the Debian package so
> that other consumers benefit from it as well.
As an upstream developer, I would counter that it is up to Debian,
specifically, the maintainers of the affected package (not VLC) to take bug fixes
if their upstream is dead.
> Only if VLC changes the API of libjsonparser, effectively forking it
> (and that fork is not packaged separately in Debian!) does it make sense
> to keep using an embedded code copy.
In general and overall, VLC has a pretty good track record of enabling Linux
distros to use system library builds rather than embedded ones.
But to put things back into historical context, libjsonparser was added to
Debian in 2018. VLC has depended on it since 2012 and it is quite a small
library, so that's that.
With that said, in this particular case, VLC 4.0 is probably getting rid of
libjsonparser entirely in favour of a different implementation, so the
motivation for overhauling the build system around it is pretty much
nonexistent from the VLC project side.
--
雷米‧德尼-库尔蒙
http://www.remlab.net/
Reply to: