Stephan Houben <stephan...@gmail.com.invalid>: > Op 2017-09-10, Marko Rauhamaa schreef <ma...@pacujo.net>: >> I've seen that done for Python and other technologies. It is an >> expensive route to take. Also, it can be insecure. When >> vulnerabilities are found, they are communicated to the maintainers >> of, say, Python. When Python is fixed and released, the vulnerability >> is revealed, but the version bundled with your product is still >> broken. You have to be prepared perform an emergency release of your >> product and hope you don't mess things up. > > To each his own, but this is not different from any other third-party > package your application depends on.
And that is an argument to minimize the number of 3rd-party dependencies in a product. However, programming languages are particularly problematic because they have huge attack surfaces. For example, we need to rerelease our product four times a year because of Java. No other 3rd-party package gives us such trouble. (BTW, a former employer of mine chose to package Python with the application so they could ship the application in a .pyc format.) Marko -- https://mail.python.org/mailman/listinfo/python-list
