On 08/23/2018 08:13 PM, Sean Whitton wrote: > In particular, Policy should explain /why/ bundling is best avoided, and > the consensus that it sometimes has to happen should be noted, along > with mention of registering bundled copies with the security team where > appropriate.
I can only agree on that part: explaining a bit more the rationale of **why** bundling should be avoided. I spend a lot of time dealing with that when packaging Docker, and at some point I realized that I couldn't even explain to myself why I was spending so much time un-bundling the world out of Docker. I just had a vague understanding that "bundling is bad", and I understand the security issues of bundled code. But I wish I had more details on "how bad it is", just so that I can justify to myself to spend so much time on it. Sometimes the barrier between time well-spent and time wasted is very thin, and you're not sure where you stand. Also, it turns out that sometimes bundling can't be avoided. I don't know if it's possible to come up with some general guidelines on that. We have it documented in the README.source of docker, but it applies to docker special case, and I don't pretend it can be extended to a general case. During all this time when I was questioning myself on the reason to un-bundle, the only official documentation I found was the short paragraph in the Debian Policy [1], which is quite thin. Only now, through the thread in debian-devel, I discover that there is some more information in Wiki. I couldn't find this information when I needed it, but maybe I'm just not good at finding a needle in a haystack ;) All of that to say: I would find it very helpful to have some more "official information" from Debian on bundle/vendored/embedded code. The rationale to un-bundle, and possibly some guidelines to keep bundles. Arnaud [1]: https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles