Re: Including third party libraries should be prevented

To: Paul Wise <pabs@debian.org>
Cc: debian-upstream@lists.debian.org
Subject: Re: Including third party libraries should be prevented
From: Andreas Tille <tille@debian.org>
Date: Fri, 24 May 2013 09:50:29 +0200
Message-id: <[🔎] 20130524075029.GC20915@an3as.eu>
In-reply-to: <[🔎] CAKTje6HpmS9MRRfPydd3M4dH49vMmhrfQaOEWxSRvk-XOYwyMg@mail.gmail.com>
References: <[🔎] 20130524070026.GA20915@an3as.eu> <[🔎] CAKTje6HpmS9MRRfPydd3M4dH49vMmhrfQaOEWxSRvk-XOYwyMg@mail.gmail.com>

Hi Paul,

On Fri, May 24, 2013 at 03:20:45PM +0800, Paul Wise wrote:
> On Fri, May 24, 2013 at 3:00 PM, Andreas Tille wrote:
> 
> > I admit I do not read this list (so please CC) and thus I have no idea
> > whether this was previously discussed.  I was just trying to give some hint
> > to upstream by refering to the UpstreamGuide and noticed that this item is
> > not (yet) mentioned.  The problem becomes clear in the following posting
> > to Debian Med list:
> >
> >    https://lists.debian.org/debian-med/2013/05/msg00052.html
> 
> The very first section covers embedded copies of other projects:
> 
> Please do not include other packages that are also shipped separately
> inside your source archive, or if you do, please make sure they can be
> reliably ignored. If a security issue is found in one of the bundled
> packages, it is far easier to rebuild one package than to scan the
> entire archive for all copies of this code and patch them individually
> (this happened for zlib, for example).

Ahhh, my "find" for 'third', 'party' and 'lib' failed - probably because
you wrote "packages" which IMHO is a distributors term and should rather
be "code" or something like this.  I agree that not only libraries
should be mentioned.

> >   Please prevent shipping third party libraries in your source code and
> >   rather make sure your program will be link nicely against recent
> >   versions of these libraries.  Otherwise it is a nightmare for
> >   distributors to address security issues in those libraries if these
> >   are hidden in several instances.
> >
> >   It is even worse if you maintain your private forks of third party
> >   libraries.  This is not only troublesome for distributors but in the
> >   long run also to your own project.  You should always make sure that
> >   the patches you might need for your specific application will be
> >   backported to the library upstream - that's simply how Free Software
> >   works.
> >
> >   To make sure your software will run with different versions of third
> >   party code it is way better to provide test cases you can run at any
> >   time to get reproducible results (which is also an additional profit
> >   for your own project).
> >
> > What do you think about putting this (or an enhanced version) into the
> > Wiki page
> 
> Sounds good to me, please replace the paragraph I quoted above with
> your three paragraphs. Please also rewrite them a bit to make it clear
> that this isn't just about libraries but also data (we have outdated
> copies of the Unicode data in Debian for example) and non-library
> source code.

I'll do so straight in the Wiki which can be easily edited afterward.  I
think I will put this into an extra subsection to make it more visible. 

Kind regards

        Andreas.

-- 
http://fam-tille.de

Reply to:

References:
- Including third party libraries should be prevented
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Including third party libraries should be prevented
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Including third party libraries should be prevented
Next by Date: Re: Including third party libraries should be prevented
Previous by thread: Re: Including third party libraries should be prevented
Next by thread: Re: Including third party libraries should be prevented
Index(es):
- Date
- Thread