On Sat, Mar 20, 2021 at 09:13:24PM -0700, Greg Steuck wrote: > A bigger question is if something else should be done. Memory safety is > an obvious problem to worry about especially in the context where the > selection may not be fully trusted. So, should we pick up a few more > patches from upstream: https://github.com/kfish/xsel/commits/master ? > > Trouble is they have a multiple-year old issue pending to roll a release > with no activity beyond people asking for status: > https://github.com/kfish/xsel/issues/28 You could package a specific commit and use xsel-1.2.0.20210321 as date or so, that'll give you the latest and greatest fixes outside a release and will play nicely with the next proper update to 1.3.x or so, i.e. the upgrade will just work.
That also avoids having local patches, which is nice. Generally, tracking upstream releases makes sense, but if they can't be arsed to roll another tarball due to whatever reasons, I do tend to just track HEAD and ship important bug fixes to our users nonetheless.
