This section explains why bundled dependencies are considered bad and what to do about them.
Some software requires the porter to locate third-party libraries and add the required dependencies to the port. Other software bundles all necessary libraries into the distribution file. The second approach seems easier at first, but there are some serious drawbacks:
This list is loosely based on the Fedora and Gentoo wikis, both licensed under the CC-BY-SA 3.0 license.
If vulnerabilities are found in the upstream library and fixed there, they might not be fixed in the library bundled with the port. One reason could be that the author is not aware of the problem. This means that the porter must fix them, or upgrade to a non-vulnerable version, and send a patch to the author. This all takes time, which results in software being vulnerable longer than necessary. This in turn makes it harder to coordinate a fix without unnecessarily leaking information about the vulnerability.
This problem is similar to the problem with security in the last paragraph, but generally less severe.
It is easier for the author to fork the upstream library once it is bundled. While convenient on first sight, it means that the code diverges from upstream making it harder to address security or other problems with the software. A reason for this is that patching becomes harder.
Another problem of forking is that because code diverges from upstream, bugs get solved over and over again instead of just once at a central location. This defeats the idea of open source software in the first place.
When a library is installed on the system, it might collide with the bundled version. This can cause immediate errors at compile or link time. It can also cause errors when running the program which might be harder to track down. The latter problem could be caused because the versions of the two libraries are incompatible.
When bundling projects from different sources, license issues can arise more easily, especially when licenses are incompatible.
Bundled libraries waste resources on several levels. It takes longer to build the actual application, especially if these libraries are already present on the system. At run-time, they can take up unnecessary memory when the system-wide library is already loaded by one program and the bundled library is loaded by another program.
When a library needs patches for FreeBSD, these patches have to be duplicated again in the bundled library. This wastes developer time because the patches might not apply cleanly. It can also be hard to notice that these patches are required in the first place.
Whenever possible, use the unbundled version of the
library by adding a LIB_DEPENDS to the
port. If such a port does not exist yet, consider creating
it.
Only use bundled libraries if the upstream has a good track record on security and using unbundled versions leads to overly complex patches.
In some very special cases, for example emulators, like
Wine, a port has to bundle
libraries, because they are in a different architecture, or
they have been modified to fit the software's use. In that
case, those libraries should not be exposed to other ports
for linking. Add BUNDLE_LIBS=yes to the
port's Makefile. This will tell
pkg(8) to not compute provided libraries. Always ask
the Ports Management Team <portmgr@FreeBSD.org> before adding this to a port.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.