Bug#488753: (forw) Re: Boost bundling
Micah Anderson wrote:
However, it had not been accepted by the FTP masters, and as such it was
not part of the archive yet. Typically when there is a delay such as
this in accepting the package into the archive there is some problem,
either legal/licensing or technical that is keeping the package from
being accepted. I contacted a member of the FTP team to ask what the
hold-up was and was told the reason is because passenger has an embedded
copy of boost and the FTP team has asked the maintainer at least twice
about it and have received no reply.
That's strange, I don't recall having been contacted about this subject
As a result of these issues causing significant number of hours to
track, update and manage, with many clever technical solutions developed
to do things like use the clamav signature mechanisms to scan the entire
archive, etc. Eventually the Debian project saw fit to adopt a policy
with specific language about embedded "convenience copies" of code
(section 4.13). And this is where Passenger is currently stuck.
I understand why Debian has adopted this policy. However, as explained
in the forwarded email, Phusion Passenger uses a modified version of Boost.
We accept full responsibility for any security problems found in Boost.
If a security problem is found in Boost then we _will_ update our
Phusion | The Computer Science Company
Chamber of commerce no: 08173483 (The Netherlands)