Re: Question Under Proposal D: Compile Time Option
- To: Bernd Zeimetz <bernd@bzed.de>
- Cc: debian-vote@lists.debian.org
- Subject: Re: Question Under Proposal D: Compile Time Option
- From: Russ Allbery <rra@debian.org>
- Date: Sat, 30 Nov 2019 17:16:47 -0800
- Message-id: <[🔎] 87pnh8alq8.fsf@hope.eyrie.org>
- In-reply-to: <75136b52-f7dc-f9ee-6c28-02f5a7a92d38@bzed.de> (Bernd Zeimetz's message of "Sat, 30 Nov 2019 22:45:10 +0100")
- References: <tslwobis494.fsf@suchdamage.org> <69b11e03-9fea-c0ee-b681-530f8bb0649a@debian.org> <75136b52-f7dc-f9ee-6c28-02f5a7a92d38@bzed.de>
Bernd Zeimetz <bernd@bzed.de> writes:
> On 11/30/19 8:58 AM, Thibaut Paumard wrote:
>> I think the right fix would be to compile the package twice as "foo"
>> (for the systemd version) and "foo-non-systemd".
>> Another option would be to ship both versions in package "foo" and
>> decide at runtime which one to run, if technically feasible.
>> My understanding of D.7 is that, If someone provides a patch that
>> implements either of this in a maintainable fashion, this patch should
>> be accepted.
> I'm wondering what the security team says to this approach. Who is
> actually going to review these changes, given the fact that most of the
> features in systemd that need patches in packages are somehow security
> relevant.
In the Kerberos world, we've shipped two binary packages build from the
same source package against MIT Kerberos and Heimdal for some time in
places where that makes sense. It hasn't been much of a problem in
practice, although obviously it's extra packaging work.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: