Sean Whitton <spwhit...@spwhitton.name> wrote: > I am not sure, however, that your argument applies to security updates > to our stable releases. These updates are almost always a matter of > backporting small fixes, rather than updating to new upstream releases. > And for backported fixes, vendoring makes things much harder.
In the case of kubernetes it will most certainly make security updates easier, not more complex. For an application like kubernetes there'll be a steady stream of security releases and if some of these also rebase to a fixed, vendored Go "library" that doesn't any extra effort. It's very similar to e.g. Chromium (and to some extent Firefox) which also frequently fix issues in bundled libraries, but it's always just one more bug in a bigger update pile. I have some concerns whether the fast-paced kubernetes release cadence will be workable for Debian's release cycles, but I think Janos' tradeoffs seems fair for packaging kubernetes. Cheers, Moritz