Re: Including third party libraries should be prevented
Hi Paul,
On Fri, May 24, 2013 at 03:20:45PM +0800, Paul Wise wrote:
> On Fri, May 24, 2013 at 3:00 PM, Andreas Tille wrote:
>
> > I admit I do not read this list (so please CC) and thus I have no idea
> > whether this was previously discussed. I was just trying to give some hint
> > to upstream by refering to the UpstreamGuide and noticed that this item is
> > not (yet) mentioned. The problem becomes clear in the following posting
> > to Debian Med list:
> >
> > https://lists.debian.org/debian-med/2013/05/msg00052.html
>
> The very first section covers embedded copies of other projects:
>
> Please do not include other packages that are also shipped separately
> inside your source archive, or if you do, please make sure they can be
> reliably ignored. If a security issue is found in one of the bundled
> packages, it is far easier to rebuild one package than to scan the
> entire archive for all copies of this code and patch them individually
> (this happened for zlib, for example).
Ahhh, my "find" for 'third', 'party' and 'lib' failed - probably because
you wrote "packages" which IMHO is a distributors term and should rather
be "code" or something like this. I agree that not only libraries
should be mentioned.
> > Please prevent shipping third party libraries in your source code and
> > rather make sure your program will be link nicely against recent
> > versions of these libraries. Otherwise it is a nightmare for
> > distributors to address security issues in those libraries if these
> > are hidden in several instances.
> >
> > It is even worse if you maintain your private forks of third party
> > libraries. This is not only troublesome for distributors but in the
> > long run also to your own project. You should always make sure that
> > the patches you might need for your specific application will be
> > backported to the library upstream - that's simply how Free Software
> > works.
> >
> > To make sure your software will run with different versions of third
> > party code it is way better to provide test cases you can run at any
> > time to get reproducible results (which is also an additional profit
> > for your own project).
> >
> > What do you think about putting this (or an enhanced version) into the
> > Wiki page
>
> Sounds good to me, please replace the paragraph I quoted above with
> your three paragraphs. Please also rewrite them a bit to make it clear
> that this isn't just about libraries but also data (we have outdated
> copies of the Unicode data in Debian for example) and non-library
> source code.
I'll do so straight in the Wiki which can be easily edited afterward. I
think I will put this into an extra subsection to make it more visible.
Kind regards
Andreas.
--
http://fam-tille.de
Reply to: