Hi Raphael, Raphael Hertzog wrote: > this is a clear design choice of upstream and given that all those > libraries are maintained by the same person (and that he is not providing > any official API stability), I don't think it's really problematic. > Also all those libraries are really small. > > Trying to package them separately would be a huge mess. This is all very true and would be no problem — if they would be present only in a single source package. But we're far from that case. The mess is that these libraries were partially packaged separately, too (see the mentioned libbfio) or were packaged in a multitude of different developement states in up to 22 different source package. So every time there is a security issue in one of these libraries, the security team will have to check all the libyal-originating source packages, check if the affected library is included and especially at which version or git commit (but neither is not preserved with upstream's tar ball building script) they were included in that specific source package and if they are affected. I think I forgot to mention this explanatory link in my first mail: https://wiki.debian.org/EmbeddedCopies Please also remember Debian Policy §4.13 which states that Debian packages should not use convenience copies. (It's no "must", otherwise these all would be RC bugs, but it's still something we should strive to.) Regards, Axel -- ,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Attachment:
signature.asc
Description: PGP signature