On 2025-Nov-21, Daniel Gustafsson wrote: > > On 21 Nov 2025, at 12:33, Aleksander Alekseev <[email protected]> > > wrote: > > > Are there good reasons why we can't simply make lz4 a required > > dependency? In the worst case we could simply copy its implementation, > > the license permits. > > I think we should, as much as we can, avoid vendoring code, especially > something like lz4 which can be expected to be available nearly everywhere.
Yeah. There's the security aspect: if lz4 is found to have a security bug, we would be obliged to issue an advisory and matching release. It's best if the library code is kept separate, so their own security advisory is enough. -- Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/
