[Proposal] Ring-based Packaging Policies

Ralf Corsepius rc040203 at freenet.de
Sat Feb 14 05:44:13 UTC 2015

On 02/13/2015 08:20 PM, Florian Weimer wrote:

> I have some people express the notation that they can always switch to
> the system library version in case a security vulnerability comes out,
> but I doubt that this works in practice (because then there wouldn't
> be a reason for bundling).

It sometimes works. Typically in cases when upstreams bundle a library, 
as conditional fallback or build-time option
- to cater cases an OS doesn't provide a library.
- because they believe to need a version "greater than the version the 
OS provides (This is sometimes true, but sometimes also isn't)
- as convenience to occasional builders/installers, who doen't care 
about system integration.

These cases aren't actually uncommon, but in most cases the reasons for 
bundling are elsewhere:
- Dead upstreams
- Non-cooperational upstreams
- "Don't care" about system-integration.
- Lack of experience/naive upstream


More information about the devel mailing list