De-vendor orig.tar.gz: gnulib and more

Speaker: Simon Josefsson

Track: Packaging, policy, and Debian infrastructure

Type: Short talk (20 minutes)

Room: Somin

Time: Aug 01 (Thu): 11:00

Duration: 0:20

I will discuss how to achieve de-vendor’ed orig.tar.gz upstream source code archives, with a focus on upstream’s that uses gnulib but also discuss general aspects. Avoiding vendoring gnulib and other files allows several advantages, including being able to security patch gnulib code in one package (the Debian gnulib package) and have that code trickle down to all packages using gnulib. Another advantage is reducing the amount of duplicated code that people have to audit to find concerns like the xz utils incident. I will cover progress in packaging since the idea was first introduced, and discuss some open issues still remaining.