Bug#824520: Just don't

To: 824520@bugs.debian.org
Cc: philcerf@gmail.com
Subject: Bug#824520: Just don't
From: Salvo Tomaselli <tiposchi@tiscali.it>
Date: Sat, 17 Jun 2017 22:32:35 +0200
Message-id: <[🔎] CAOOnQAdc588Poq652XGCbek5anb8EgdR-abGPfYdLJrcq6isoQ@mail.gmail.com>
Reply-to: Salvo Tomaselli <tiposchi@tiscali.it>, 824520@bugs.debian.org

Hello,

I was maintaining subsurface in Debian for a while.

In subsurface, they keep forking libraries. In Debian, it's not
allowed to have source packages containing forked libraries. This is
due to the fact that the security team doesn't want to have to find
multiple copies of the same bug in libraries which might have slight
differencies, and apply fixes in all of the copies. In my opinion it's
a very sensible approach.

I don't know what the policies in other distributions are, about
duplicated source code.

Unfortunately in subsurface, they don't care about any of this, and
keep forking libraries.

While libdivecomputer isn't problematic, because it is the only
project using it, libmarble and libgit2 pose a problem, and they are
internet facing, so could have security vulnerabilities.

Upstream is not willing to help in using the original libraries rather
than the forks, so a huge amount of patches is necessary to keep this
package in Debian.

The alternative is to delete all parts of code that use those
libraries, and lose many functionalities.

I am not closing this bug, but if anyone is reading this, my advice is
to move on and don't try to package it.

Best

Reply to:

Prev by Date: Bug#671175: marked as done (RFP: httpbench -- very simple HTTP benchmarking program)
Next by Date: Bug#864948: ITP: zuluplay -- is a fork the tcplay
Previous by thread: Bug#671175: marked as done (RFP: httpbench -- very simple HTTP benchmarking program)
Next by thread: Bug#864948: ITP: zuluplay -- is a fork the tcplay
Index(es):
- Date
- Thread