On Sat 21 Aug 2021 at 17:19:12 -0500, Jason Bacon wrote:
> What I'm saying here is the bundled library *is* the problem since it has
> known vulnerabilities or bugs, and we can't just hack the build system to
I'd think of it more as a consequence.
To me, the things things are driving this are:
- rapidly evolving projects dependant on a just as rapidly evolving set of external dependencies - freezing at least contains some of the complexity
- language tools encouraging this by making freezing/bundling the accepted norm
no amount of moralizing will solve this.
One issue that I haven't seen mentioned is the need for some packages to
have portability fixes, which then need to be replicated into vendored
packages. That could be a good addition to the list of issues.
-Olaf.
--
___ "Buying carbon credits is a bit like a serial killer paying someone else to
\X/ have kids to make his activity cost neutral." -The BOFH falu.nl@rhialto