On 08/23/2018 08:13 PM, Sean Whitton wrote:
> In particular, Policy should explain /why/ bundling is best avoided, and
> the consensus that it sometimes has to happen should be noted, along
> with mention of registering bundled copies with the security team where
> appropriate.

I can only agree on that part: explaining a bit more the rationale of
**why** bundling should be avoided. I spend a lot of time dealing with
that when packaging Docker, and at some point I realized that I couldn't
even explain to myself why I was spending so much time un-bundling the
world out of Docker. I just had a vague understanding that "bundling is
bad", and I understand the security issues of bundled code. But I wish I
had more details on "how bad it is", just so that I can justify to
myself to spend so much time on it. Sometimes the barrier between time
well-spent and time wasted is very thin, and you're not sure where you

Also, it turns out that sometimes bundling can't be avoided. I don't
know if it's possible to come up with some general guidelines on that.
We have it documented in the README.source of docker, but it applies to
docker special case, and I don't pretend it can be extended to a general

During all this time when I was questioning myself on the reason to
un-bundle, the only official documentation I found was the short
paragraph in the Debian Policy [1], which is quite thin. Only now,
through the thread in debian-devel, I discover that there is some more
information in Wiki. I couldn't find this information when I needed it,
but maybe I'm just not good at finding a needle in a haystack ;)

All of that to say: I would find it very helpful to have some more
"official information" from Debian on bundle/vendored/embedded code. The
rationale to un-bundle, and possibly some guidelines to keep bundles.


[1]: https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles

Reply via email to