Proposal to reduce anti-bundling requirements

Dave Love at
Mon Oct 5 11:09:49 UTC 2015

Tom Hughes <tom at> writes:

> Recently I even saw a case of a header only C++ library bundling
> another C++ head library which raises slightly metaphysical questions
> since dependants of a header only library need to be rebuilt when it
> changes anyway if they are to pickup security fixes. Strictly speaking
> that's even true of a more traditional library if the security fix
> happens to be in a header, but I wonder how well we pick up such
> things and propagate them?

I don't think that's uncommon in applications I see.  I've been puzzled
throughout why using things like Boost isn't counted and why this only
seems to be about security, from what people have been saying.

A header-only, or header-mainly, library seems quite likely to affect
security-sensitive programs.  On the other hand, the sort of (likely
modified or version-specific) libraries for building the scientific
programs I'm interested in seem to be problematical on the same level as
things affecting potentially security-sensitive system programs.

I am all in favour of unbundling as much from such packages as
reasonably practical, from an engineering and system management point of
view, and have done it.  I'm just puzzled by some of the rationale in
the discussion.

More information about the devel mailing list