Sean Whitton <spwhit...@spwhitton.name> wrote:
> I am not sure, however, that your argument applies to security updates
> to our stable releases. These updates are almost always a matter of
> backporting small fixes, rather than updating to new upstream releases.
> And for backported fixes, vendoring makes things much harder.
In the case of kubernetes it will most certainly make security updates
easier, not more complex. For an application like kubernetes there'll
be a steady stream of security releases and if some of these also rebase
to a fixed, vendored Go "library" that doesn't any extra effort.
It's very similar to e.g. Chromium (and to some extent Firefox) which
also frequently fix issues in bundled libraries, but it's always just
one more bug in a bigger update pile.
I have some concerns whether the fast-paced kubernetes release cadence
will be workable for Debian's release cycles, but I think Janos' tradeoffs
seems fair for packaging kubernetes.
Cheers,
Moritz
