Hopefully seeing a broad consensus against this practice among package
managers will diminish its use. Most of the developers I've encountered
who do this have no idea about the risks, so a little education might be
all it takes to sway them.
I've not been giving pkgsrc any effort lately, still running critical
infra on it though. The last package I tried to make work was
Blaze, to build TF on NetBSD. Nevermind that, I'm sure it's
still impossible, although I didn't think to try bundling...
Anyway, for less difficult packages, has there been resistance
upstream for patches that move away from bundling deps;
eg wget stable and prefix make? A patch for upstream to set up,
build and fix dep path parameterization, would get a lot more
attention than links to third party best practice and simplify
a pkgsrc unbundling patch, too. The choice of bundling usually
has more to do with critical priorities and available effort,
than any philosophy or death wish...
--