Re: gnulib and distros

[James Youngman]

On Tue, Nov 18, 2008 at 11:30 AM, Colin Watson <address@hidden> wrote:

> "Convenience copies" of code have a bad reputation with distributions in
> general, particularly with distribution security teams. For example,
> zlib has had a couple of security flaws which we've had to fix in Debian
> stable, and while investigating these it was further discovered that
> quite a number of packages linked to it statically or even kept their
> own private copies, and so each of those had to get separate security
> updates. Packages often copy ffmpeg around because it rarely gets proper
> upstream releases, and this has been something of a nightmare. xpdf,
> pcre, Mozilla - the list goes on
> (http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0).

In the specific case of gnulib there is also no standalone release of.
 However, it is perfectly possible for a program using gnulib to
clearly indicate which version of gnulib it includes:

$ find --version
find (GNU findutils) 4.4.0
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Eric B. Decker, James Youngman, and Kevin Dalley.
Built using GNU gnulib version e5573b1bad88bfabcda181b9e0125fb0c52b7d3b
Features enabled: D_TYPE O_NOFOLLOW(enabled) LEAF_OPTIMISATION FTS()
CBO(level=0)


Perhaps it would be useful for the gnulib version number in the
version information to be followed by the latest date of any included
commit, or some such similar date.  This could relieve the reader of
the necessity to access the gnulib git repository to determine if this
tool is also affected by some bug.

James.