Re: Q: Debian position on bundled libraries
- Date: Thu, 23 Aug 2018 15:26:51 +0800
- From: Paul Wise <pabs@xxxxxxxxxx>
- Subject: Re: Q: Debian position on bundled libraries
On Thu, Aug 23, 2018 at 12:59 PM, Alec Leamas wrote:
> Here is some libraries to unbundle; this could certainly could be done,
> However, the core issue is a few libraries which cannot realistically be
> unbundled. One example is mygdal, a heavily patched subset of the gdal
gdal has had one security issue in the past and I wouldn't be
surprised if it had one in the future, since it is basically a
collection of file format parsers. As such I am not sure using a fork
of it is a good idea. It would be best to work with both upstreams to
resolve the delta.
> So, before proceeding with this work I'd like to know how to handle a
> situation like this. Under what conditions (if any) is bundling actually OK?
Personally, I don't think it is ever acceptable.