[Proposal] Ring-based Packaging Policies
rc040203 at freenet.de
Sat Feb 14 05:44:13 UTC 2015
On 02/13/2015 08:20 PM, Florian Weimer wrote:
> I have some people express the notation that they can always switch to
> the system library version in case a security vulnerability comes out,
> but I doubt that this works in practice (because then there wouldn't
> be a reason for bundling).
It sometimes works. Typically in cases when upstreams bundle a library,
as conditional fallback or build-time option
- to cater cases an OS doesn't provide a library.
- because they believe to need a version "greater than the version the
OS provides (This is sometimes true, but sometimes also isn't)
- as convenience to occasional builders/installers, who doen't care
about system integration.
These cases aren't actually uncommon, but in most cases the reasons for
bundling are elsewhere:
- Dead upstreams
- Non-cooperational upstreams
- "Don't care" about system-integration.
- Lack of experience/naive upstream
More information about the devel