Le mercredi 4 février 2026, 10:32:26 heure normale d’Europe centrale Helmut Grohne a écrit : > On Tue, Feb 03, 2026 at 02:29:18PM +0300, Dmitry E. Oboukhov wrote: > > Proposed change to Policy > > ~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > 1. Explicitly allow packaging of programs that include all required > > dependencies (convenience copies, vendoring), provided that > > licenses and DFSG are respected. > > Others have already raised the aspect of fixing vulnerabilities in such > packages. How would that work in your opinion? > > A very simple way would be filing an RC bug to keep such packages out of > stable releases on the grounds that they are not supportable. Would you > agree with that approach? > > > 2. Require such packages to be clearly distinguishable from > > "normal" ones that depend on separate packages from the archive. > > Options (to be chosen or combined, to be decided in discussion): > > > > - Naming: a suffix or name part, e.g. -static, -bundled, > > -standalone (or another agreed marker), so that the package name > > indicates that dependencies are included; > > > > - A field in debian/control: e.g. X-Debian-Bundled-Deps: yes > > (or: yes, no, partial) or similar within the existing control > > structure, so that tools and users can unambiguously identify > > such packages. > > How about also requiring all vendored dependencies to be listed in the > security tracker? > > https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies > > Would you agree to perform uploads whenever a vulnerability in one of > the vendored libraries is fixed in stable or oldstable? > > How about non-security bugs? I guess that around 0.5% of my bug reports > are of the kind "your package is buggy, but the upstream copy of your > vendored copy is already fixed, can you update it?". Expanding the > bundling also means that we copy more bugs. This poses additional effort > on QA teams that keep rediscovering fixed bugs. > > In effect, allowing more vendoring is shifting work from Debian's > package maintainers to Debian's security and QA teams. Do you see any > way of shifting this work back to package maintainers? > > Unless counter measures are taken, the end result of that is that the > teams receiving that additional work will perform worse reducing the > quality of Debian as a whole. > > To put this upside down, allowing more vendoring does not start with a > policy change from my point of view. It starts with better tools in > order to reduce the work of security and QA teams. > Thanks Helmut for this point
Note that I plan a gsoc for helping and allow a safety net https://wiki.debian.org/SummerOfCode2026/ApprovedProjects/AttackOfTheClonesFightBack rouca > Helmut > >
signature.asc
Description: This is a digitally signed message part.
