Bug#907051: Say much more about vendoring of libraries
Hi, Arnaud Rebillout wrote: > During all this time when I was questioning myself on the reason to > un-bundle, the only official documentation I found was the short > paragraph in the Debian Policy [1], which is quite thin. Only now, > through the thread in debian-devel, I discover that there is some more > information in Wiki. I couldn't find this information when I needed it, > but maybe I'm just not good at finding a needle in a haystack ;) For reference, I think you're referring to https://wiki.debian.org/EmbeddedCodeCopies https://wiki.debian.org/UpstreamGuide#No_inclusion_of_third_party_code Thanks for that. It may be a good place to find text to reuse. Jonathan
Bug#907051: Say much more about vendoring of libraries
Hi, Sean Whitton wrote: > On Thu 23 Aug 2018 at 12:27PM +0200, Alec Leamas wrote: >> https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries > > Thank you for sharing this link -- it seems like Fedora have thought > harder about this than we have, at least at the level of the whole > project. > > We can't jump straight to something as involved in that, but threads > like this on -devel suggest to me that Policy's discussing of vendoring > needs to be expanded. > > In particular, Policy should explain /why/ bundling is best avoided, and > the consensus that it sometimes has to happen should be noted, along > with mention of registering bundled copies with the security team where > appropriate. My first instinct was that this belongs in devref, not Policy, since it is more about the project than about consistency and interoperability issues that directly affect packaging tools and user experience. But then I realized that the Debian Free Software Guidelines, for example, are part of policy. This topic would similarly be a good fit for ch-archive. Thanks for filing it. Jonathan
Bug#907051: Say much more about vendoring of libraries
On 08/23/2018 08:13 PM, Sean Whitton wrote: > In particular, Policy should explain /why/ bundling is best avoided, and > the consensus that it sometimes has to happen should be noted, along > with mention of registering bundled copies with the security team where > appropriate. I can only agree on that part: explaining a bit more the rationale of **why** bundling should be avoided. I spend a lot of time dealing with that when packaging Docker, and at some point I realized that I couldn't even explain to myself why I was spending so much time un-bundling the world out of Docker. I just had a vague understanding that "bundling is bad", and I understand the security issues of bundled code. But I wish I had more details on "how bad it is", just so that I can justify to myself to spend so much time on it. Sometimes the barrier between time well-spent and time wasted is very thin, and you're not sure where you stand. Also, it turns out that sometimes bundling can't be avoided. I don't know if it's possible to come up with some general guidelines on that. We have it documented in the README.source of docker, but it applies to docker special case, and I don't pretend it can be extended to a general case. During all this time when I was questioning myself on the reason to un-bundle, the only official documentation I found was the short paragraph in the Debian Policy [1], which is quite thin. Only now, through the thread in debian-devel, I discover that there is some more information in Wiki. I couldn't find this information when I needed it, but maybe I'm just not good at finding a needle in a haystack ;) All of that to say: I would find it very helpful to have some more "official information" from Debian on bundle/vendored/embedded code. The rationale to un-bundle, and possibly some guidelines to keep bundles. Arnaud [1]: https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles
Bug#907051: Say much more about vendoring of libraries
Package: debian-policy Version: 4.2.0.1 Hello, On Thu 23 Aug 2018 at 12:27PM +0200, Alec Leamas wrote: > https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries Thank you for sharing this link -- it seems like Fedora have thought harder about this than we have, at least at the level of the whole project. We can't jump straight to something as involved in that, but threads like this on -devel suggest to me that Policy's discussing of vendoring needs to be expanded. In particular, Policy should explain /why/ bundling is best avoided, and the consensus that it sometimes has to happen should be noted, along with mention of registering bundled copies with the security team where appropriate. -- Sean Whitton signature.asc Description: PGP signature
