monotone-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] nvm.asio

From: Matthew Nicholson
Subject: Re: [Monotone-devel] nvm.asio
Date: Tue, 27 Jan 2009 07:57:54 -0600
User-agent: Mozilla-Thunderbird 2.0.0.17 (X11/20081018) 
Markus Wanner wrote:

Hi,

Matthew Nicholson wrote:

From a packager's standpoint, using the system headers makes security
bugs more explicit.  If the packager's build system knows that monotone
has a build time dependency on a particular library (even if it is
header only) and a security bug is found in that library, then the
packager knows it needs to recompile that library.  If the library is
bundled in monotone, that information is lost.


Thank you for this feedback from a packager's point of view.

However, unlike you seem to assume, recompiling the library does *not*
help with this kind of dependency. You need to recompile and repackage
monotone. In this regard, header-only dependencies are rather different
from library dependencies.


Yeah.  That was supposed to say recompile monotone, but you get the idea.


But, yeah, I take the point that packagers like the information that
monotone is "build time dependent" on boost. That would get lost if we
drop the dependency and incorporate the headers.




--
Matthew Nicholson
matt-land.com
reply via email to
[Prev in Thread] Current Thread [Next in Thread]