pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Anti-bundling materials



On 08/21, Jason Bacon wrote:
> On 8/21/21 8:49 AM, J. Lewis Muir wrote:
> > On 08/20, Jason Bacon wrote:
> What we're talking about here is things like copying a C library into an
> application's source dist, which then falls behind the mainstream version
> that may already be available as a pkgsrc package.  This practice is common
> in scientific software and leads to security issues and other bugs that are
> difficult to fix because the software uses an outdated API.
> 
> If we add our voice to the chorus, we might convince a few more upstream
> developers to stop doing this and our job as packagers will become a little
> easier.
> 
> It's just a matter of posting a small document that might nudge some
> developers in the right direction.

That's cool; I'm just saying that if you're looking at only that, you're
essentially dealing with maybe 1% of the problem cases (just making that
up; I don't know what the actual percentage is); the remaining 99% are
still there and unaddressed.

As you said, this practice "leads to security issues and other bugs that
are difficult to fix because the software uses an outdated API."  I'm
not sure what you mean by "difficult to fix because the software uses an
outdated API" (I would think that would actually make the software more
likely to keep working because it has bundled the library with the API
that it uses), but in general, the exact same issues, and more outlined
in some of the resources you posted upthread, exist for the 99% that are
not being addressed.

Lewis


Home | Main Index | Thread Index | Old Index