Yup! Thanks for pointing that out! I've edited MyConfig.pm and will re-do the test with suggests_policy and recommends_policy at 0.
Do you feel the 'large number of dependencies' point is valid for other distros?
Chronicler: The Domici War (domiciwar.net)
General Ne'er-do-well (github.com/LeamHall)
| [reply] |
I prefer to avoid large numbers of dependencies but that comes from an efficiency standpoint rather than a security one. For a persistent process, more dependencies usually means more RAM which could often be put to better use. For a non-persistent process, more dependencies usually means slower start-up time and that's not good either. It's not cast in stone - sometimes the trade-off is worth it.
| [reply] |
Another advantage of fewer non-core dependencies is the rate of change. Core modules can change, but they tend to get a lot more testing and review. They also tend to be mature and stable, and will not significantly change often. If I use a lot of non-core modules things can change a lot faster than my application. Thus I either have to deny upgrades by pinning versions, or manually update often. Neither option seems good to me.
Chronicler: The Domici War (domiciwar.net)
General Ne'er-do-well (github.com/LeamHall)
| [reply] |