On 2015-01-08, 03:36 GMT, Richard Shaw wrote: > In the specific case I ran into one of the package suites I've been working > on technically bundles a modified copy of xmlrpcpp. However, it is quite > modified, upstream is dead, it's not already in Fedora, and the author I'm > working with only uses it for communication between his suite of programs > and has no intention of offering it as a separate library. Hi, I think in the end it is not that much matter of definition as where the buck stops. I believe there are these questions which need to be answered: 1) Will you be able to identify a security concern? Way more simple for the independent well-known library, then for some directory down in your project. Even more difficult for hundreds of bundled libraries scattered all over the system (the famous Debian libz issue). 2) Who will fix the issue? Because if there is not well maintained upstream for the library, or if the maintainer of your upstream is not willing or able to fix any issue which comes her way, then there is only person who is responsible for fixing any such issue, you. Best, Matěj -- http://www.ceplovi.cz/matej/, Jabber: mcepl<at>ceplovi.cz GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC "Push to test." (click) "Release to detonate..." -- from a bugzilla quip list -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
