Debian Discusses Vendoring–Again

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • SonarLint - Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
  • OPS - Build and Run Open Source Unikernels
  • Scout APM - Less time debugging, more time building
  • GitHub repo nixpkgs

    Nix Packages collection

    > Whether the vendoring approach is used depends on the actual tools being used, but that is mostly irrelevant.

    I don't think it is though? Because...

    >So to answer your question, you only need to change a single file. For the requests library, this one[1]. You might also be interested in how Nix manages patches for NPM packages[2]. The amount of manual fixes required is surprisingly few.

    Right, I assume python is easier in this scenario since there are not many cases where a python project would install N different versions of one package. I don't quite understand how these work if a python project depends on separate versions?

    For the nodejs part I'm more curious. node_modules sometimes contain multiple versions of the same dependency, sometimes across multiple major versions. The patching in the files seems fairly trivial sed replacements and rpath rewrites. But how would security patches be applied across versions?

    I also took a quick look at the go stuff, and it seems like there is no such thing there as `deleteVendor` defaults to false thus each Go application is self-contained. How would patching dependencies work here?

  • GitHub repo cargo-deb

    A cargo subcommand that generates Debian packages from information in Cargo.toml

    Cargo already has one:

  • SonarLint

    Deliver Cleaner and Safer Code - Right in Your IDE of Choice!. SonarLint is a free and open source IDE extension that identifies and catches bugs and vulnerabilities as you code, directly in the IDE. Install from your favorite IDE marketplace today.

  • GitHub repo haskell.nix

    Alternative Haskell Infrastructure for Nixpkgs

    Fine-grain depedencies are crucial, but vendoring is terrible.

    Check out for technical solutions to getting the best of both worlds.

    Sorry, but there's just no way APT and RPM are going to keep up here very well.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts