This page is trying to list all packages, which carry bundled (standalone or vendored) copies of system libraries. Generally using bundled copies rather then the system libraries results in many disadvantages, like difficult and time-consuming fixes for security issues in many packages, instead of only fixing it in the system library.
Please extend this page, as this helps keep an overview when doing security or bug fixes. It should also be used to list any exceptions where we still do static linking.
The structure should be: a new headline for each library, and below it a listing of the packages which carry a bundled copy or which are linked statically, maybe some version information (to ease checking for security vulnerabilities) and maybe some reasons.
Contents
expat
- mozjs78 - carries an embedded expat (presumably other mozjs versions as well)
ffmpeg
- avidemux - carries ffmpeg ~0.6 in mga1, carries 0.9 in cauldron
- blender - carries unknown ffmpeg version and custom patches
- gstreamer0.10-ffmpeg - carries ffmpeg 0.6 for mga1, has been switched to use system ffmpeg in cauldron
- mplayer - carries ffmpeg 0.6 for mga1, has been switched to use system ffmpeg in cauldron
- xvidcap - carries unknown ffmpeg version (seems rather old) should be switched to use system ffmpeg in cauldron
libpng
- firefox and mozilla-thunderbird - uses bundled copy of libpng for updates/1 branch as otherwise necessary libpng update is a no-go
readline
- mariadb - carries an internally maintained readline v5 (which is still GPLv2, while readline v6 has been licensed as GPLv3) and is linked statically into the client, because GPLv3 libs can't be linked into mariadb (which is GPLv2)
Not yet packaged
- plt/racket http://racket-lang.org/
- libequalizer http://www.equalizergraphics.com/
More
similar pages from other distributions
https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries