On Thu, Sep 2, 2021 at 10:39 PM Phil Morrell wrote: > Over this last year there seems to have been a noticeable divergence of > maintainer opinion, on what has become known as vendoring
Embedded copies of code/etc have downsides ... https://wiki.debian.org/EmbeddedCopies > It is my reading of the situation that not only has this practice become > more prevalent across multiple ecosystems since 2008 ... but there are many many copies in Debian and they are not going away upstream. > [security-tracker]: > https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/embedded-code-copies Side note: This file is very much outdated, new copies are introduced all the time and old copies get removed. This has always been the case and it always will be. So we need to cope with the consequences of this change toward embedding in the upstream FLOSS ecosystems. Personally, my recommendations are that: Debian package maintainers could investigate upstream tarballs for embedded copies before each upload containing a new/changed upstream tarball. Debian package maintainers could talk to upstream about removing embedded copies and replacing them with dependencies. Debian package maintainers could talk to upstream about upstreaming changes in modified embedded copies, removing the embedded copies and replacing them with dependencies. Debian package maintainers could use Files-Excluded or `rm -r` in debian/rules to ensure that embedded copies are not used by the build. Debian package maintainers could add hints to the source package about which embedded copies are definitely used. Debian security tracker could remove the perpetually outdated list of embedded copies. Debian security issue investigators could search the archive for similar or duplicate code (using the tools listed on the above wiki page), investigate the build logs for each package found and determine which packages are affected. This is a lot of work, but given the level of embedding we already have, it is already necessary. Also, the issue of static linking is similar; it is here, it isn't going away and so now we have to cope with it and the problems it causes are similar to embedded copies. https://wiki.debian.org/StaticLinking -- bye, pabs https://wiki.debian.org/PaulWise
