|
I can't really entirely justify my unease since this request models existing practice, but this idea makes me uneasy. I think, in general, we should attempt to vendor as few libraries as possible. Good reasons for vendoring include that we cannot deliver required functionality across all platforms without vendoring (think boost), or that persisted data has a hard dependency on a specific version (think icu), or that we require local modifications to make the package work for us (several). The compression libraries don't generally fall into any of these categories. In many cases I think we would be better off using the system version, as long as it was of a sufficient API/ABI rev to meet our programmatic needs. Any package we vendor becomes another for which we need to track and perform updates, backport those, deal with CVEs, etc. I wonder if the right way to go here is to actually go the other way and start making more use of system packages. Should we instead use the system libunwind if found to be a sufficient version, and which is probably configured correctly to use lzma if it is available on the system? The point about additional dependencies is true, but mitigated for all cases where users install via a package management system. Hopefully that is an increasingly large subset of our users.
|