[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Anti-bundling materials
On 8/22/21 5:41 PM, George Georgalis wrote:
On Sun, Aug 22, 2021 at 8:07 AM Jason Bacon <outpaddling%yahoo.com@localhost
Hopefully seeing a broad consensus against this practice among package
managers will diminish its use. Most of the developers I've encountered
who do this have no idea about the risks, so a little education
all it takes to sway them.
Anyway, for less difficult packages, has there been resistance
upstream for patches that move away from bundling deps;
eg wget stable and prefix make? A patch for upstream to set up,
build and fix dep path parameterization, would get a lot more
attention than links to third party best practice and simplify
a pkgsrc unbundling patch, too. The choice of bundling usually
has more to do with critical priorities and available effort,
than any philosophy or death wish...
The typical response to such patches is bewilderment as to why I would
want to do such a thing. Most upstream developers who statically bundle
a library seem unaware of or unconcerned about the security and
stability issues. Seeing that I didn't invent this concern gives them a
reason to take the suggestion seriously.
Main Index |
Thread Index |