Hi,
Matthew Nicholson wrote:
From a packager's standpoint, using the system headers makes security
bugs more explicit. If the packager's build system knows that monotone
has a build time dependency on a particular library (even if it is
header only) and a security bug is found in that library, then the
packager knows it needs to recompile that library. If the library is
bundled in monotone, that information is lost.
Thank you for this feedback from a packager's point of view.
However, unlike you seem to assume, recompiling the library does *not*
help with this kind of dependency. You need to recompile and repackage
monotone. In this regard, header-only dependencies are rather different
from library dependencies.