Markus Wanner wrote:
Hi,
Matthew Nicholson wrote:
From a packager's standpoint, using the system headers makes security
bugs more explicit. If the packager's build system knows that monotone
has a build time dependency on a particular library (even if it is
header only) and a security bug is found in that library, then the
packager knows it needs to recompile that library. If the library is
bundled in monotone, that information is lost.
Thank you for this feedback from a packager's point of view.
However, unlike you seem to assume, recompiling the library does *not*
help with this kind of dependency. You need to recompile and repackage
monotone. In this regard, header-only dependencies are rather different
from library dependencies.
Yeah. That was supposed to say recompile monotone, but you get the idea.
But, yeah, I take the point that packagers like the information that
monotone is "build time dependent" on boost. That would get lost if we
drop the dependency and incorporate the headers.
--
Matthew Nicholson
matt-land.com
_______________________________________________
Monotone-devel mailing list
Monotone-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/monotone-devel
