Including third party libraries should be prevented
Hi,
I admit I do not read this list (so please CC) and thus I have no idea
whether this was previously discussed. I was just trying to give some hint
to upstream by refering to the UpstreamGuide and noticed that this item is
not (yet) mentioned. The problem becomes clear in the following posting
to Debian Med list:
https://lists.debian.org/debian-med/2013/05/msg00052.html
and we have several other examples that could be addressed by some advise
like:
Please prevent shipping third party libraries in your source code and
rather make sure your program will be link nicely against recent
versions of these libraries. Otherwise it is a nightmare for
distributors to address security issues in those libraries if these
are hidden in several instances.
It is even worse if you maintain your private forks of third party
libraries. This is not only troublesome for distributors but in the
long run also to your own project. You should always make sure that
the patches you might need for your specific application will be
backported to the library upstream - that's simply how Free Software
works.
To make sure your software will run with different versions of third
party code it is way better to provide test cases you can run at any
time to get reproducible results (which is also an additional profit
for your own project).
What do you think about putting this (or an enhanced version) into the
Wiki page
https://wiki.debian.org/UpstreamGuide
Kind regards and thanks for maintaining UpstreamGuide
Andreas.
--
http://fam-tille.de
Reply to: