From Mageia wiki
Jump to: navigation, search

This page is trying to list all packages, which carry bundled (standalone or vendored) copies of system libraries. Generally using bundled copies rather then the system libraries results in many disadvantages, like difficult and time-consuming fixes for security issues in many packages, instead of only fixing it in the system library.

Please extend this page, as this helps keep an overview when doing security or bug fixes. It should also be used to list any exceptions where we still do static linking.

The structure should be: a new headline for each library, and below it a listing of the packages which carry a bundled copy or which are linked statically, maybe some version information (to ease checking for security vulnerabilities) and maybe some reasons.

expat

  • mozjs78 - carries an embedded expat (presumably other mozjs versions as well)

ffmpeg

  • avidemux - carries ffmpeg ~0.6 in mga1, carries 0.9 in cauldron
  • blender - carries unknown ffmpeg version and custom patches
  • gstreamer0.10-ffmpeg - carries ffmpeg 0.6 for mga1, has been switched to use system ffmpeg in cauldron
  • mplayer - carries ffmpeg 0.6 for mga1, has been switched to use system ffmpeg in cauldron
  • xvidcap - carries unknown ffmpeg version (seems rather old) should be switched to use system ffmpeg in cauldron

libpng

  • firefox and mozilla-thunderbird - uses bundled copy of libpng for updates/1 branch as otherwise necessary libpng update is a no-go

readline

  • mariadb - carries an internally maintained readline v5 (which is still GPLv2, while readline v6 has been licensed as GPLv3) and is linked statically into the client, because GPLv3 libs can't be linked into mariadb (which is GPLv2)

Not yet packaged

More

  • Bugs listing more packages with bundled dependencies: 33973 13167

similar pages from other distributions

https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries