On Thu, Aug 23, 2018 at 12:59 PM, Alec Leamas wrote: > Here is some libraries to unbundle; this could certainly could be done, > However, the core issue is a few libraries which cannot realistically be > unbundled. One example is mygdal, a heavily patched subset of the gdal > package.
gdal has had one security issue in the past and I wouldn't be surprised if it had one in the future, since it is basically a collection of file format parsers. As such I am not sure using a fork of it is a good idea. It would be best to work with both upstreams to resolve the delta. https://security-tracker.debian.org/tracker/source-package/gdal > So, before proceeding with this work I'd like to know how to handle a > situation like this. Under what conditions (if any) is bundling actually OK? Personally, I don't think it is ever acceptable. -- bye, pabs https://wiki.debian.org/PaulWise
