Hongli Lai wrote:
Micah Anderson wrote:However, it had not been accepted by the FTP masters, and as such it was not part of the archive yet. Typically when there is a delay such as this in accepting the package into the archive there is some problem, either legal/licensing or technical that is keeping the package from being accepted. I contacted a member of the FTP team to ask what the hold-up was and was told the reason is because passenger has an embedded copy of boost and the FTP team has asked the maintainer at least twiceabout it and have received no reply.That's strange, I don't recall having been contacted about this subject before.
Yeap, you weren't. I was contacted... the maintainer in this case is the package maintainer. And I'd no time to go after this....
As a result of these issues causing significant number of hours to track, update and manage, with many clever technical solutions developed to do things like use the clamav signature mechanisms to scan the entire archive, etc. Eventually the Debian project saw fit to adopt a policy[2] with specific language about embedded "convenience copies" of code (section 4.13). And this is where Passenger is currently stuck.I understand why Debian has adopted this policy. However, as explained in the forwarded email, Phusion Passenger uses a modified version of Boost.We accept full responsibility for any security problems found in Boost. If a security problem is found in Boost then we _will_ update our bundled version.
Thank you! Cheers filipe