Re: De-vendoring gnulib in Debian packages
Ansgar 🙀 <ansgar@43-1.org> writes:
> In ecosystems like NPM, Cargo, Golang, Python and so on pinning to
> specific versions is also "explicitly intended to be used"; they just
> sometimes don't include convenience copies directly as they have tooling
> to download these (which is not allowed in Debian).
Yeah, this is a somewhat different case that isn't well-documented in
Policy at the moment.
> (Arguably Debian should use those more often as keeping all software at
> the same dependency version is a futile effort IMHO...)
There's a straight tradeoff with security effort: more security work is
required for every additional copy of a library that exists in Debian
stable. (And, of course, some languages have better support for having
multiple simultaneously-installed versions of the same library than
others. Python's support for this is not great; the ecosystem expectation
is that one uses separate virtualenvs, which don't really solve the Debian
build dependency problem.)
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: