Bug#907051: Say much more about vendoring of libraries

[Jonathan Nieder <jrnieder@gmail.com>]

Hi,

Sean Whitton wrote:
> On Thu 23 Aug 2018 at 12:27PM +0200, Alec Leamas wrote:

>> https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries
>
> Thank you for sharing this link -- it seems like Fedora have thought
> harder about this than we have, at least at the level of the whole
> project.
>
> We can't jump straight to something as involved in that, but threads
> like this on -devel suggest to me that Policy's discussing of vendoring
> needs to be expanded.
>
> In particular, Policy should explain /why/ bundling is best avoided, and
> the consensus that it sometimes has to happen should be noted, along
> with mention of registering bundled copies with the security team where
> appropriate.

My first instinct was that this belongs in devref, not Policy, since
it is more about the project than about consistency and
interoperability issues that directly affect packaging tools and user
experience.

But then I realized that the Debian Free Software Guidelines, for
example, are part of policy.  This topic would similarly be a good fit
for ch-archive.  Thanks for filing it.

Jonathan