On Mar 24, Russ Allbery <r...@debian.org> wrote: > (The Rust team is trying the package everything approach with some success > but is uncovering other limitations in our processes and tools.) But "Some" success indeed. My personal experience with trying to package routinator has been awful, and there is still no actualy package in the archive after many months because it depends on a version of a library which is different from the version that we have in the archive, and there is nothing wrong with this in the Rust world.
The main reason for mostly forbidding vendored libraries has been that the security team rightly argues that in the event of a security issue it would be too much work to 1) hunt each package using a vendored library and 2) patch and rebuild all of them. This does not really matter for Go and Rust software because 1) the list of (vendored) dependencies can be extracted automatically at build time and 2) all this software would have to be rebuilt anyway since these languages do not support or do not use dynamic linking. Also, shared libraries save memory when multiple programs using them are run concurrently, but nowadays this kind of saving is rarely meaningful. Because of these reasons maybe we should consider supporting vendored libraries in some cases. -- ciao, Marco
signature.asc
Description: PGP signature
