Perl Modules: CPAN vs Yum

Jared Smith jaredsmith at jaredsmith.net
Tue Jul 3 16:30:33 MDT 2012


On Tue, Jul 3, 2012 at 1:14 PM, Tod Hansmann <plug.org at todandlorna.com> wrote:
> Why don't the devs just include any libraries they want inside the app
> they want you to deploy.

Ah, the bundle.  And it's not a bundle of joy.  (And if you've seen
the recent Vonage commercial, you should be scared when I say "We all
bundle".)

There are several compelling reasons not to bundle libraries, but the
one that sticks out the most in my mind is when a security problem is
found in one of the bundled libraries.  You essentially have to go
through and and make sure that each bundled copy of the library gets
updated with the security patch.  If you instead link to one single
library, once that's updated, you know that every user of that library
is now secure.

A second reason is forking.  When you bundle libraries, it becomes
really tempting to fork the bundled library and add your own patches
to it, rather than pushing patches upstream.

Trust me -- no sysadmin worth his salt wants a dozen different
versions of a single library in various places on a machine, let alone
a dozen forked copies of said library.  This is why the packaging
guidelines in many distributions (such as Fedora) prohibit bundled
libraries

--
Jared Smith


More information about the PLUG mailing list