ebuild-writing/bundled-dependencies: new section #377
Conversation
|
How's it looking now? OK to proceed to content review? And do we want to commit this as-is, or review the content here? Either is fine with me. I guess reviewing the content here is easier because you can comment on the full diff more easily. What I don't want to do, however, is squash any content fixes into the first commit. |
|
I'd say we should continue with content review here. |
|
Let me know when it looks OK and I'll move onto content (I don't want to try fix existing style issues in the first commit once I started that, as cherry-picking that will be hell). |
ulm
left a comment
ulm
left a comment
There was a problem hiding this comment.
Formatting looks good.
I have some tiny comments, admittedly most are into spelling territory (but you might want to fix them now, so they won't interfere with content review later).
|
Thank you! The quick reviews are appreciated, it helps a lot with momentum and motivation. |
laumann
left a comment
laumann
left a comment
There was a problem hiding this comment.
This is good reading 👍
idk if you want examples of packages where upstream does vendor dependencies, but has a mechanism not to use them. media-libs/openjpeg vendors some libraries that Gentoo's packaging carefully removes. At least it's optional to use the vendored versions.
ebuild-writing/bundled-deps/text.xml
Outdated
| are aware that the package is statically linked) | ||
| </li> | ||
| <li> | ||
| If <e>foo</e> bundled local copy of <e>libbar</e>, then they would have to wait |
There was a problem hiding this comment.
No, if foo bundled a..
Changed to that now.
I've tried to faithfully port the wiki page [0] to the devmanual in this commit, and intend to change the contents as required in followups, to allow easier comparison and to retain provenance. [0] https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies Closes: https://bugs.gentoo.org/300625 Signed-off-by: Sam James <[email protected]>
|
I'm not sure if it fits in the narrative anywhere, but one argument I hear often is "so what, we'll just upgrade the bundled version when it becomes vulnerable." This fails in practice for two reasons:
So the lack of a "vulnerability" in a bundled dependency is truly indicative of nothing. |
4 participants
I've tried to faithfully port the wiki page [0] to the devmanual in this commit, and intend to change the contents as required in followups, to allow easier comparison and to retain provenance.
[0] https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies
Closes: https://bugs.gentoo.org/300625
Note: I'm looking for review of the formatting and porting to the devmanual for now, not whether we should add/adjust content etc (which I will do once the foundation is OK).