general-concepts/bundled-dependencies: new section#377
Conversation
|
How's it looking now? OK to proceed to content review? And do we want to commit this as-is, or review the content here? Either is fine with me. I guess reviewing the content here is easier because you can comment on the full diff more easily. What I don't want to do, however, is squash any content fixes into the first commit. |
|
I'd say we should continue with content review here. |
|
Let me know when it looks OK and I'll move onto content (I don't want to try fix existing style issues in the first commit once I started that, as cherry-picking that will be hell). |
ulm
left a comment
ulm
left a comment
There was a problem hiding this comment.
Formatting looks good.
I have some tiny comments, admittedly most are into spelling territory (but you might want to fix them now, so they won't interfere with content review later).
|
Thank you! The quick reviews are appreciated, it helps a lot with momentum and motivation. |
laumann
left a comment
laumann
left a comment
There was a problem hiding this comment.
This is good reading 👍
idk if you want examples of packages where upstream does vendor dependencies, but has a mechanism not to use them. media-libs/openjpeg vendors some libraries that Gentoo's packaging carefully removes. At least it's optional to use the vendored versions.
|
I'm not sure if it fits in the narrative anywhere, but one argument I hear often is "so what, we'll just upgrade the bundled version when it becomes vulnerable." This fails in practice for two reasons:
So the lack of a "vulnerability" in a bundled dependency is truly indicative of nothing. |
thesamesam
force-pushed
the
bundled
branch
2 times, most recently
from
bb7aa9a to
bba300d
Compare
|
@orlitzky Added, thanks! |
|
I think this should be good-to-go now. |
thesamesam
force-pushed
the
bundled
branch
2 times, most recently
from
acf0327 to
10cfeb8
Compare
|
Looking at this again, I wonder if "ebuild-writing" is the best place, or if it should go under "general-concepts"? |
|
I think on reflection I agree that concepts would be a better fit. |
thesamesam
changed the title
thesamesam
changed the title
I've tried to faithfully port the wiki page [0] to the devmanual in this commit, and intend to change the contents as required in followups, to allow easier comparison and to retain provenance. [0] https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies Closes: https://bugs.gentoo.org/300625 Signed-off-by: Sam James <sam@gentoo.org>
* Use 3rd-person perspective as we do elsewhere * Tweak grammar (usually just a missing comma or so) * Use longer example names where it aids readability (rather than letters; kept in some places) Signed-off-by: Sam James <sam@gentoo.org>
A common answer when asked to unbundle is that projects will simply update their bundled copy when a vulnerability is discovered. This has two issues: 1) nobody checks if old versions of packages are vulnerable; 2) MITRE does not issue CVEs for bundled versions of dependencies. It's therefore easy to miss that a copy is problematically stale. Suggested-by: Michael Orlitzky <mjo@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org>
bug #919100 is a nice example of where Meson subprojects exposed a real problem in a bundled dependency. Bug: https://bugs.gentoo.org/919100 Signed-off-by: Sam James <sam@gentoo.org>
5 participants
I've tried to faithfully port the wiki page [0] to the devmanual in this commit, and intend to change the contents as required in followups, to allow easier comparison and to retain provenance.
[0] https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies
Closes: https://bugs.gentoo.org/300625
Note: I'm looking for review of the formatting and porting to the devmanual for now, not whether we should add/adjust content etc (which I will do once the foundation is OK).