On Tue, Mar 24, 2020 at 1:47 AM Sean Whitton wrote: > Specifically, as README.Debian states, the vendor/ subdirectory of the > source package contains more than two hundred Go libraries.
There are a *lot* of embedded code/data copies in Debian already. While it would be nice to remove them, sometimes it isn't possible. Often the copies are forked, or upstream refuses to remove them, sometimes even though they forgot why they were added in the first place. In addition the developer culture in various communities encourages embedded copies. I think the best action we can do is send patches to upstream projects to switch from vendoring to using the native dependency system of the package manager for the related language community. ISTR reading that Go has one of those now. Where language communities don't have a native package manager, we need to invent one for them. Then we can use things like dh-make-perl to package the dependencies for Debian. I have no data but I think this approach is more likely to have success than ranting about embedded copies, tempting though that is. Apart from trying to discourage their use, unfortunately embedded copies are here and they will never go away and we need to accept that fact and to deal with the consequences; for example to ensure that all copies get fixed for security issues, try to get them updated upstream after important bug/performance fixes and so on. https://wiki.debian.org/EmbeddedCodeCopies https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies https://wiki.debian.org/AutomaticPackagingTools -- bye, pabs https://wiki.debian.org/PaulWise
