What exactly is a "bundled library"? (was Re: apitrace, bundled libbacktrace)
Matěj Cepl
mcepl at cepl.eu
Thu Jan 8 07:55:07 UTC 2015
On 2015-01-08, 03:36 GMT, Richard Shaw wrote:
> In the specific case I ran into one of the package suites I've been working
> on technically bundles a modified copy of xmlrpcpp. However, it is quite
> modified, upstream is dead, it's not already in Fedora, and the author I'm
> working with only uses it for communication between his suite of programs
> and has no intention of offering it as a separate library.
Hi,
I think in the end it is not that much matter of definition as
where the buck stops. I believe there are these questions which
need to be answered:
1) Will you be able to identify a security concern? Way more
simple for the independent well-known library, then for some
directory down in your project. Even more difficult for
hundreds of bundled libraries scattered all over the system
(the famous Debian libz issue).
2) Who will fix the issue? Because if there is not well
maintained upstream for the library, or if the maintainer of
your upstream is not willing or able to fix any issue which
comes her way, then there is only person who is responsible
for fixing any such issue, you.
Best,
Matěj
--
http://www.ceplovi.cz/matej/, Jabber: mcepl<at>ceplovi.cz
GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC
"Push to test." (click) "Release to detonate..."
-- from a bugzilla quip list
More information about the devel
mailing list