On Tue, Feb 03, 2026 at 02:29:18PM +0300, Dmitry E. Oboukhov wrote: > Proposed change to Policy > ~~~~~~~~~~~~~~~~~~~~~~~~~ > > 1. Explicitly allow packaging of programs that include all required > dependencies (convenience copies, vendoring), provided that > licenses and DFSG are respected.
Others have already raised the aspect of fixing vulnerabilities in such packages. How would that work in your opinion? A very simple way would be filing an RC bug to keep such packages out of stable releases on the grounds that they are not supportable. Would you agree with that approach? > 2. Require such packages to be clearly distinguishable from > "normal" ones that depend on separate packages from the archive. > Options (to be chosen or combined, to be decided in discussion): > > - Naming: a suffix or name part, e.g. -static, -bundled, > -standalone (or another agreed marker), so that the package name > indicates that dependencies are included; > > - A field in debian/control: e.g. X-Debian-Bundled-Deps: yes > (or: yes, no, partial) or similar within the existing control > structure, so that tools and users can unambiguously identify > such packages. How about also requiring all vendored dependencies to be listed in the security tracker? https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies Would you agree to perform uploads whenever a vulnerability in one of the vendored libraries is fixed in stable or oldstable? How about non-security bugs? I guess that around 0.5% of my bug reports are of the kind "your package is buggy, but the upstream copy of your vendored copy is already fixed, can you update it?". Expanding the bundling also means that we copy more bugs. This poses additional effort on QA teams that keep rediscovering fixed bugs. In effect, allowing more vendoring is shifting work from Debian's package maintainers to Debian's security and QA teams. Do you see any way of shifting this work back to package maintainers? Unless counter measures are taken, the end result of that is that the teams receiving that additional work will perform worse reducing the quality of Debian as a whole. To put this upside down, allowing more vendoring does not start with a policy change from my point of view. It starts with better tools in order to reduce the work of security and QA teams. Helmut
