Re: Anti-bundling materials

[Jason Bacon <outpaddling%yahoo.com@localhost>]

On 8/22/21 5:41 PM, George Georgalis wrote:
> On Sun, Aug 22, 2021 at 8:07 AM Jason Bacon <outpaddling%yahoo.com@localhost 
> <mailto:outpaddling%yahoo.com@localhost>> wrote:
>
>
>     Hopefully seeing a broad consensus against this practice among package
>     managers will diminish its use. Most of the developers I've encountered
>     who do this have no idea about the risks, so a little education
>     might be
>     all it takes to sway them.
>
>
>
> Anyway, for less difficult packages, has there been resistance
> upstream for patches that move away from bundling deps;
> eg wget stable and prefix make? A patch for upstream to set up,
> build and fix dep path parameterization, would get a lot more
> attention than links to third party best practice and simplify
> a pkgsrc unbundling patch, too. The choice of bundling usually
> has more to do with critical priorities and available effort,
> than any philosophy or death wish...

The typical response to such patches is bewilderment as to why I would 
want to do such a thing.  Most upstream developers who statically bundle 
a library seem unaware of or unconcerned about the security and 
stability issues.  Seeing that I didn't invent this concern gives them a 
reason to take the suggestion seriously.