caml-list - the Caml user's mailing list
 help / Atom feed
From: François Bobot <francois.bobot@cea.fr>
To: caml-list@inria.fr
Subject: Re: [Caml-list] (dune/opam) Proper way of vendoring a library inside an application?
Date: Mon, 2 Mar 2020 10:33:02 +0100
Message-ID: <0b4352c4-91b6-a5ce-41ed-e5388e569754@cea.fr> (raw)
In-Reply-To: <7277977a-213a-1c3d-ec70-214e2d248350@inria.fr>

Le 29/02/2020 à 12:20, François Pottier a écrit :
> I don't see how it could cause any packaging problem; it should
> be transparent. The copy of Fix embedded inside Menhir is used
> when Menhir is installed and is immediately thrown away.
> 

Even if it is perhaps not applicable for Fix which is a small library, without attack surface.
Generally if there is a security bug in Fix, distributions don't want to need to patch it in all the
package which vendor Fix. Patching Fix once is simpler, more efficient and safer.

But for a distribution removing this vendor directory just mean to remove it, no other modifications
are needed; dune will then used the installed dependency. Package creator could look at
`(vendored_dirs vendor)` to find those directories. Of course the version can be different from the
last version of Fix. But to choose common version is usually the hurdle of packagers (which we
should strive not to burden more!).

Best,

-- 
François

      reply index

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-31  8:49 François Pottier
2020-01-31 13:08 ` François Bobot
2020-01-31 14:53   ` François Pottier
2020-02-03 10:27 ` Jeremie Dimino
2020-02-03 14:17   ` Jeremie Dimino
2020-02-03 14:53     ` François Pottier
2020-02-03 23:13       ` Jeremie Dimino
2020-02-04  9:11         ` François Pottier
2020-02-06 22:33           ` Jeremie Dimino
2020-02-10  9:37             ` [Caml-list] dune for OCaml < 4.07? François Pottier
2020-02-10 10:19               ` David Allsopp
2020-02-10 10:33                 ` François Pottier
2020-02-10 11:27                   ` David Allsopp
2020-02-29  8:41 ` [Caml-list] (dune/opam) Proper way of vendoring a library inside an application? Richard W.M. Jones
2020-02-29 11:20   ` François Pottier
2020-03-02  9:33     ` François Bobot [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0b4352c4-91b6-a5ce-41ed-e5388e569754@cea.fr \
    --to=francois.bobot@cea.fr \
    --cc=caml-list@inria.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

caml-list - the Caml user's mailing list

Archives are clonable: git clone --mirror https://inbox.ocaml.org/caml-list

AGPL code for this site: git clone https://public-inbox.org/ public-inbox