musescore 2.0.3+dfsg-1

Jonas Smedegaard dr at jones.dk
Thu Jul 14 16:59:08 UTC 2016


[replying only to list, as per mailingst policy]

Quoting Peter Jonas (2016-07-14 18:18:56)
> As Tiago said the policy is a guideline,

Agreed.  But a strong recommendation: For starters, each inclusion of an 
embedded code copy is burden on the security team!


> but I don't believe it applies here anyway. The policy defines 
> convenience copies as dependencies included "so that users compiling 
> from source don't have to download multiple packages". It goes on to 
> say that the policy does not apply when "the included package is 
> explicitly intended to be used in this way."
> 
> Freetype is included because not included for convenience. It is 
> included because MuseScore's code has been tailored towards a specific 
> version of Freetype and other versions of Freetype have been known to 
> cause problems in the past.

I believe it does apply here: What Policy mentions as reason for not 
avoiding embedded code copies is if the _library_ is intended to be used 
that way - not if the consuming project intended to do so (arguably it 
is always intentional).

Freetype has had quite a few bugs in the past, but fixating to a "known 
working release" is *not* the solution, as that only hides the problems 
- something we explicitly promise not to do in Debian.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160714/d66e96a4/attachment.sig>


More information about the pkg-multimedia-maintainers mailing list