Post Syndicated from original https://lwn.net/Articles/842319/rss

The problems with “vendoring” in packages—bundling dependencies rather than
getting them from other packages—seems to crop up frequently these days.
We looked at Debian’s concerns about
packaging Kubernetes and its myriad of Go
dependencies back in October. A more recent discussion in that
distribution’s community looks at another famously dependency-heavy
ecosystem: JavaScript libraries from the npm repository. Even C-based ecosystems
are not immune to the problem, as we saw with
iproute2 and libbpf back in November; the discussion of vendoring seems
likely to recur over the coming years.