bundled libraries in ports, any policy?

[René Ladan]

Hi,

while trying to port Chromium 36 the build tripped over a 'forbidden shim
include', which was an attempt to resolve link-time symbol collisions.
This 'forbidden shim include' turns out to happen (only now!) because the
port sets the "official build" flag which is incompatible with these 'shim
includes'.  Official builds (from upstream point of view) do not allow
using system libraries, meaning everything has to be bundled under
third_party/ inside the source tree.  For Chromium 36 this means ~ 1 GB of
source code for 153 projects.  The (short-term) solution for the port would
be to not set the "official build" flag, which it really isn't anyway.

Upstream supports using system libraries for unofficial builds on a best
effort basis only, which if I understand correctly means among others:
- support can be dropped anytime
-  because the upstream build bots use the official builds, there are no
guarantees about functionality, speed, and security

An advantage for upstream is that they can "tweak" these bundled libraries
for their convenience (their libusb is an example).  One downside of this
policy is security, but they do quite a good job of tracking security bugs
and finding these themselves.

Although the above example is specific to Chromium, do we want a policy for
bundled libraries in general? For example, Fedora an Gentoo have a policy
that favors the use system libraries (what we call LIB_DEPENDS), see [1]
and [2].

[1] https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
[2] http://wiki.gentoo.org/wiki/Why_not_bundle_dependencies

Regards,
Rene
-- 
http://www.rene-ladan.nl/