[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?



On Tue, May 17, 2016 at 04:02:37PM +0800, seamlikok@gmail.com wrote:
BoringSSL is also free software, as long as there are maintainers who
are willing to spend time on it, I think it has rights to exist in
Debian. Well I have been contributing to Debian for not long, so
please point me out my mistakes. :)

The question is, "who does the security updates for the package 5 years from now". As a general rule, we don't allow private embedded copies of libraries because then a security update for a library means chasing down and fixing any number of copies. (In historic terms, this was a huge issue, for example, with zlib bugs.) On top of that, if the upstream says flat-out that it's an unstable API, putting it into a debian release seems like a bad idea. Putting it unstable and never letting it make it to stable is a possibility, but the point of unstable is to eventually get packages into a released version so that seems somewhat an abuse of the system. If it's really a standalone component that's expected to change a lot and not interact with anything else in debian, then putting it in an external repository seems like a better fit.

Mike Stone


Reply to: