From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <caml-list-owner@inria.fr>
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83])
	by c5ff346549e7 (Postfix) with ESMTPS id 70EC15D4
	for <caml-list@inbox.ocaml.org>; Mon,  2 Mar 2020 09:33:08 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.70,506,1574118000"; 
   d="scan'208";a="438305696"
Received: from sympa.inria.fr ([193.51.193.213])
  by mail2-relais-roc.national.inria.fr with ESMTP; 02 Mar 2020 10:33:07 +0100
Received: by sympa.inria.fr (Postfix, from userid 20132)
	id 9DDCD7F3B1; Mon,  2 Mar 2020 10:33:07 +0100 (CET)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83])
	by sympa.inria.fr (Postfix) with ESMTPS id D03CD7F3B1
	for <caml-list@sympa.inria.fr>; Mon,  2 Mar 2020 10:33:04 +0100 (CET)
Authentication-Results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=francois.bobot@cea.fr; spf=Pass smtp.mailfrom=francois.bobot@cea.fr; spf=None smtp.helo=postmaster@sainfoin-smtp-out.extra.cea.fr
IronPort-PHdr: =?us-ascii?q?9a23=3ASdWy4hWjJsEbzrLQJZ44bNzFzv/V8LGtZVwlr6E/?=
 =?us-ascii?q?grcLSJyIuqrYYxyDt8tkgFKBZ4jH8fUM07OQ7/m8HzVYvd3Z6jgrS99laVwssY?=
 =?us-ascii?q?0uhQsuAcqIWwXQDcXBSGgEJvlET0Jv5HqhMEJYS47UblzWpWCuv3ZJQk2sfQV6?=
 =?us-ascii?q?Kf7oFYHMks+5y/69+4HJYwVPmTGxfa5+IA+5oAnMucQam5ZuJro+xxfGvndEZf?=
 =?us-ascii?q?ldyH91K16Ugxvz6cC88YJ5/S9Nofwh7clAUav7f6Q8U7NVCSktPn426sP2qxTN?=
 =?us-ascii?q?VBOD6XQAXGoYlBpIGBXF4wrhXpjtqCv6t/Fy1zecMMbrUL07QzWi76NsSB/1lC?=
 =?us-ascii?q?cKMiMy/W/LhsBsiq9QvRSsrAF9zYHJeoGYLOdwcL3Tfd0aRmRPUMheWCNDDYyg?=
 =?us-ascii?q?YIUCFPYBMOVCooXhu1cDoxmzCA+xD+3v0D9IgXr20LU63eQ7Cw7G2hQnH9UPsH?=
 =?us-ascii?q?TPtNr4KaASXvuyzKnU0D7OaP1W2S3n54jObh8hpvCMXalqfcXKzkkgDATFjkmL?=
 =?us-ascii?q?pIP5ITyazP4Bs2aB7+d5U++klm0pqxlprzSyyMoglJPFip8Ux13G7yl13YI4Kc?=
 =?us-ascii?q?OiREJlf9KpE4NcuzyUOodoWM8uXmBltScgxrEbvZO3YjIGxIk5yxPZdveJaZKH?=
 =?us-ascii?q?4gj5W+aUOTp4hGxqeLa4hxuq6kiv0Oz8Vs+60FZNrypFlMDAtmsI1xzP8siLU/?=
 =?us-ascii?q?x9/lq92TqVyQ/S5f1EIVoumqbBN5Eu3KQ/moAdsUTZBiP2mUP2g7GKdkg85+Sl?=
 =?us-ascii?q?5frrbq/7qpKdNYJ4kBzyP6AwlsClH+g0LAsDU3Ce+eum1b3j+UP5QK9Njv0ziq?=
 =?us-ascii?q?TZvoraKt4dpqGlBA9V050j5wykADehy9sYmmUHIUlZdx2ZlYflIV/OIOrgAfel?=
 =?us-ascii?q?n1usiCtrx+zBPrD5HprCNH3DkLP4cbZ56k5c0xYzwMtE55NUD7EBOOj8VlXwtN?=
 =?us-ascii?q?zeFB85Mha7z/zpCNVnhcsiXjeEC6qddafTqkOg5+Q1IuDKapVGliz6Lq0L/ffo?=
 =?us-ascii?q?Ang4gmg3eqOuwdNDZmqxGP9hIl7fa33mhcspGmoD+AQkGr+5wGaeWCJeMi7hF5?=
 =?us-ascii?q?k34Ss2Xdr/UNXzA7u1ibnE5x+VW51bYmcdUAKXGHbueYKFXbIXbT6KZ8h8jnoJ?=
 =?us-ascii?q?RaS7Qskq2BjouhWok+M2fNqRwTURsNfY7PYw4uTSkR8o8jkkXc+Q2ieDVTMtxz?=
 =?us-ascii?q?9ad3oNxKl65HdF5BKby6Eo0fdVHJpd/aERXw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AHAgB+0Vxeh+TAp4RmHAEBAQEBBwEBE?=
 =?us-ascii?q?QEEBAEBgXuBfYFuATCEPokDhXuFf5dQCQEDAQwtAgQBAYRAAoILHAcBBDQTAhA?=
 =?us-ascii?q?BAQUBAQECAQIDBAETAQEBCgsJCCmFaYI7IoMHAwMjDwFWCxoCJgICVxMIAQGDI?=
 =?us-ascii?q?oJ8qnmBMoVKg2OBBIEOKolcgkmCGoE4gj8uPoUYgkSCXgSOHqF9B4FBfpZgIo8?=
 =?us-ascii?q?OjCOqZIFpgXpNJ0yCbU8YDY43Hm8BAo0fQQGBOZBOAQE?=
X-IPAS-Result: =?us-ascii?q?A0AHAgB+0Vxeh+TAp4RmHAEBAQEBBwEBEQEEBAEBgXuBfYF?=
 =?us-ascii?q?uATCEPokDhXuFf5dQCQEDAQwtAgQBAYRAAoILHAcBBDQTAhABAQUBAQECAQIDB?=
 =?us-ascii?q?AETAQEBCgsJCCmFaYI7IoMHAwMjDwFWCxoCJgICVxMIAQGDIoJ8qnmBMoVKg2O?=
 =?us-ascii?q?BBIEOKolcgkmCGoE4gj8uPoUYgkSCXgSOHqF9B4FBfpZgIo8OjCOqZIFpgXpNJ?=
 =?us-ascii?q?0yCbU8YDY43Hm8BAo0fQQGBOZBOAQE?=
X-IronPort-AV: E=Sophos;i="5.70,506,1574118000"; 
   d="scan'208";a="438305683"
X-MGA-submission: =?us-ascii?q?MDH/EwQJ1/NHKaWJvK5BtO7/nuF3xT6VVSp5ik?=
 =?us-ascii?q?PPVq42rGgs7IV6lteAlfc+l8bOy9QcvkVsZkI/q07QKEaONC1SDMbfJ0?=
 =?us-ascii?q?OPYjOZ6D9OYJae4n4fFlFuEkST5oAqQbS9TexsAzRGLsQ0bAYvzWjo4f?=
 =?us-ascii?q?91avtxGhBcnfUlvp5qiLRP7w=3D=3D?=
Received: from sainfoin-smtp-out.extra.cea.fr ([132.167.192.228])
  by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Mar 2020 10:33:02 +0100
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21])
	by sainfoin-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 0229X2rk030103
	for <caml-list@inria.fr>; Mon, 2 Mar 2020 10:33:02 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1])
	by localhost (Postfix) with SMTP id A3D1C206513
	for <caml-list@inria.fr>; Mon,  2 Mar 2020 10:33:02 +0100 (CET)
Received: from muguet1-smtp-out.intra.cea.fr (muguet1-smtp-out.intra.cea.fr [132.166.192.12])
	by pisaure.intra.cea.fr (Postfix) with ESMTP id 9A09C2064F8
	for <caml-list@inria.fr>; Mon,  2 Mar 2020 10:33:02 +0100 (CET)
Received: from [10.8.35.70] (is231141.intra.cea.fr [10.8.35.70])
	by muguet1-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 0229X2UU026671
	for <caml-list@inria.fr>; Mon, 2 Mar 2020 10:33:02 +0100
To: caml-list@inria.fr
References: <f50f0acb-9e02-cc29-6da7-6e56f33f8b42@inria.fr>
 <20200229084124.GC11122@rich.annexia.org>
 <7277977a-213a-1c3d-ec70-214e2d248350@inria.fr>
From: =?UTF-8?Q?Fran=c3=a7ois_Bobot?= <francois.bobot@cea.fr>
Message-ID: <0b4352c4-91b6-a5ce-41ed-e5388e569754@cea.fr>
Date: Mon, 2 Mar 2020 10:33:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <7277977a-213a-1c3d-ec70-214e2d248350@inria.fr>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Subject: Re: [Caml-list] (dune/opam) Proper way of vendoring a library
 inside an application?
Reply-To: =?UTF-8?Q?Fran=c3=a7ois_Bobot?= <francois.bobot@cea.fr>
X-Loop: caml-list@inria.fr
X-Sequence: 18034
Errors-to: caml-list-owner@inria.fr
Precedence: list
Precedence: bulk
Sender: caml-list-request@inria.fr
X-no-archive: yes
List-Id: <caml-list.inria.fr>
List-Archive: <http://sympa.inria.fr/sympa/arc/caml-list>
List-Help: <mailto:sympa_inria@inria.fr?subject=help>
List-Owner: <mailto:caml-list-request@inria.fr>
List-Post: <mailto:caml-list@inria.fr>
List-Subscribe: <mailto:sympa_inria@inria.fr?subject=subscribe%20caml-list>
List-Unsubscribe: <mailto:sympa_inria@inria.fr?subject=unsubscribe%20caml-list>

Le 29/02/2020 à 12:20, François Pottier a écrit :
> I don't see how it could cause any packaging problem; it should
> be transparent. The copy of Fix embedded inside Menhir is used
> when Menhir is installed and is immediately thrown away.
> 

Even if it is perhaps not applicable for Fix which is a small library, without attack surface.
Generally if there is a security bug in Fix, distributions don't want to need to patch it in all the
package which vendor Fix. Patching Fix once is simpler, more efficient and safer.

But for a distribution removing this vendor directory just mean to remove it, no other modifications
are needed; dune will then used the installed dependency. Package creator could look at
`(vendored_dirs vendor)` to find those directories. Of course the version can be different from the
last version of Fix. But to choose common version is usually the hurdle of packagers (which we
should strive not to burden more!).

Best,

-- 
François