Tomáš Chvátal schrieb: > Bundling few libs and bundling 40 of them is bit of difference, will YOU do > the audit? > Also other teams actively work on the unbundling, while there is track of no > will to actually make it buildable with system libs. > > Also the security is not the only problem here, it can also cause runtime > issues. Like bundled lib does not work with xyz because it does not apply > patch X that we have in main tree.
I agree that this package should not be marked stable unless the security team agrees. But IMO the package can stay ~arch unless there are actual security/runtime problems. If such problems are found, then it can be p.masked with reference to the bug report. > Still keep in mind most distros won't allow inclusion of such software into > main repositories at all, so we allow something fishy others avoid a lot. The same is true for non-redistributable software (RESTRICT="mirror" and/or "bindist"), software redistributable only in source form (bindist) or software that may only be downloaded manually (fetch). Best regards, Chí-Thanh Christopher Nguyễn
