-=| Olek Wojnar, 04.12.2022 21:25:04 -0500 |=-
> Hi there,
>
> > I just had a quick look at the source code. The problem are the vendored
> > headers in the dependencies/ folder. Per debian policy they need to be
> > packaged themselves.
>
> I was just looking at this package as well and I was a bit confused by your
> comment. What exactly are you seeing in the dependencies folder that would
> require separate library packages?
Basically everything that is not authored by the OpenRGB developers as
part of OpenRGB? I would guess most of the content under dependencies
is just copied from somewhere for convenience.
> Could you also please point me to the policy that requires this?
4.13. Embedded code copies
==========================
Some software packages include in their distribution convenience
copies of code from other software packages, generally so that users
compiling from source don’t have to download multiple packages.
Debian packages should not make use of these convenience copies
unless the included package is explicitly intended to be used in this
way. [17]
If the included code is already in the Debian archive in the form of
a library, the Debian packaging should ensure that binary packages
reference the libraries already in Debian and the convenience copy is
not used. If the included code is not already in Debian, it should be
packaged separately as a prerequisite if possible. [18]
[17] For example, parts of the GNU build system work like this.
[18] Having multiple copies of the same code in Debian is
inefficient, often creates either static linking or shared
library conflicts, and, most importantly, increases the
difficulty of handling security vulnerabilities in the
duplicated code.
So it is not strictly required, but a strong recommendation:
* The terms *should* and *should not*, and the adjective
*recommended*, denote best practices. Non-conformance with these
guidelines will generally be considered a bug, but will not
necessarily render a package unsuitable for distribution. These
statements correspond to bug severities of *important*, *normal*,
and *minor*. They are collectively called *Policy recommendations*.
If you go with the bundles, don't forget to add them to the security
tracker at
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
-- Damyan, hoping for the best
