According to MIR rules, we need security team ACK to used embedded llhttp: " [Embedded sources and static linking] RULE: - Embedding a library source increases the maintenance burden of a package RULE: since that source needs to be maintained separately from the source in RULE: the Ubuntu archive. If a source embeds another package, in general the RULE: embedded package should not be used and the packaging should be modified RULE: to use the Ubuntu archive version. When this is not possible, the RULE: security team must agree to using the embedded source. "
I'd like to request the security team's approval on this, so we can switch to the native llhttp vendored in libgit2. Considering the weird situation of libllhttp being shipped as part of node-undicit, it might be more reasonable to track libgit2 upstream, using the vendored dependency. That is at least as long until the bug from comment #3 is resolved (i.e. having an isolated libllhttp package in the archive). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2080872 Title: libgit2: replace unmaintained http-parser dependency with llhttp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libgit2/+bug/2080872/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
