Re: Including third party libraries should be prevented

To: Andreas Tille <andreas@an3as.eu>
Cc: debian-upstream@lists.debian.org
Subject: Re: Including third party libraries should be prevented
From: Paul Wise <pabs@debian.org>
Date: Fri, 24 May 2013 15:20:45 +0800
Message-id: <[🔎] CAKTje6HpmS9MRRfPydd3M4dH49vMmhrfQaOEWxSRvk-XOYwyMg@mail.gmail.com>
In-reply-to: <[🔎] 20130524070026.GA20915@an3as.eu>
References: <[🔎] 20130524070026.GA20915@an3as.eu>

On Fri, May 24, 2013 at 3:00 PM, Andreas Tille wrote:

> I admit I do not read this list (so please CC) and thus I have no idea
> whether this was previously discussed.  I was just trying to give some hint
> to upstream by refering to the UpstreamGuide and noticed that this item is
> not (yet) mentioned.  The problem becomes clear in the following posting
> to Debian Med list:
>
>    https://lists.debian.org/debian-med/2013/05/msg00052.html

The very first section covers embedded copies of other projects:

Please do not include other packages that are also shipped separately
inside your source archive, or if you do, please make sure they can be
reliably ignored. If a security issue is found in one of the bundled
packages, it is far easier to rebuild one package than to scan the
entire archive for all copies of this code and patch them individually
(this happened for zlib, for example).

>   Please prevent shipping third party libraries in your source code and
>   rather make sure your program will be link nicely against recent
>   versions of these libraries.  Otherwise it is a nightmare for
>   distributors to address security issues in those libraries if these
>   are hidden in several instances.
>
>   It is even worse if you maintain your private forks of third party
>   libraries.  This is not only troublesome for distributors but in the
>   long run also to your own project.  You should always make sure that
>   the patches you might need for your specific application will be
>   backported to the library upstream - that's simply how Free Software
>   works.
>
>   To make sure your software will run with different versions of third
>   party code it is way better to provide test cases you can run at any
>   time to get reproducible results (which is also an additional profit
>   for your own project).
>
> What do you think about putting this (or an enhanced version) into the
> Wiki page

Sounds good to me, please replace the paragraph I quoted above with
your three paragraphs. Please also rewrite them a bit to make it clear
that this isn't just about libraries but also data (we have outdated
copies of the Unicode data in Debian for example) and non-library
source code.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Including third party libraries should be prevented
  - From: Andreas Tille <tille@debian.org>
- Re: Including third party libraries should be prevented
  - From: Andreas Tille <tille@debian.org>

References:
- Including third party libraries should be prevented
  - From: Andreas Tille <andreas@an3as.eu>

Prev by Date: Including third party libraries should be prevented
Next by Date: Re: Including third party libraries should be prevented
Previous by thread: Including third party libraries should be prevented
Next by thread: Re: Including third party libraries should be prevented
Index(es):
- Date
- Thread