Web lists-archives.com

Re: Q: Debian position on bundled libraries




On Thu, Aug 23, 2018 at 12:59 PM, Alec Leamas wrote:

> Here is some libraries to unbundle; this could certainly could be done,
> However, the core issue is a few libraries which cannot realistically be
> unbundled. One example is mygdal, a heavily patched subset of the gdal
> package.

gdal has had one security issue in the past and I wouldn't be
surprised if it had one in the future, since it is basically a
collection of file format parsers. As such I am not sure using a fork
of it is a good idea. It would be best to work with both upstreams to
resolve the delta.

https://security-tracker.debian.org/tracker/source-package/gdal

> So, before proceeding with this work I'd like to know how to handle a
> situation like this. Under what conditions (if any) is bundling actually OK?

Personally, I don't think it is ever acceptable.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise