Ansgar 🙀 <ans...@43-1.org> writes: > In ecosystems like NPM, Cargo, Golang, Python and so on pinning to > specific versions is also "explicitly intended to be used"; they just > sometimes don't include convenience copies directly as they have tooling > to download these (which is not allowed in Debian).
Yeah, this is a somewhat different case that isn't well-documented in Policy at the moment. > (Arguably Debian should use those more often as keeping all software at > the same dependency version is a futile effort IMHO...) There's a straight tradeoff with security effort: more security work is required for every additional copy of a library that exists in Debian stable. (And, of course, some languages have better support for having multiple simultaneously-installed versions of the same library than others. Python's support for this is not great; the ecosystem expectation is that one uses separate virtualenvs, which don't really solve the Debian build dependency problem.) -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>