Github user kxepal commented on the pull request:
https://github.com/apache/couchdb/pull/302#issuecomment-114090050
>> However, I do think the CouchDB configure script should provide options
that allow me ignore the bundled versions.
>
> Totally fair. I canât promise any priority for this for 2.0, but I
agree we should have that sooner than later. Thanks for your perspective.
The biggest problem here will be with the distributives that provides own
packages for specific Erlang apps and tries to unbundle upstream deps like
Mochiweb in order to replace them with system packages. Sometimes that causes
quite interesting situations when DoS issue if fixed in bundled dep, but not in
upstream. So here also we should also limit ourself on what bundles we allow to
replace with system packages and what we do not.
But agree about snappy case in anyway.
P.S. @djc we bundle snappy-1.0.5 which was removed from portage for now. I
had somewhere patches to update it up to recent 1.1.2 - need to check if it
wouldn't cause any issues since they're used autotools more in recent releases.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
