The more sustainable solution I think is to require that users are able to incorporate third party libraries into their build scripts. This is made easier with package managers of course, and now there are enough solutions that we do not need to be treating users like infants incapable of putting together a non-trivial program. Nigel via Boost: Our specific requirement is to statically link_our_ preferred version of zlib built from_our_ pristine (and possibly patched) repo. [...] But, building and linking a boost-bundled zlib would be pretty close to that, and pretty workable in terms of bringing our patches on top. I have a strong background in building software for HPC systemsfrom
Vinnie Falco via Boost: source with some software using recipes (similar to Docker files). A major pain point are libraries who keep bundling well known libraries in their builds, or even worse: Downloading them during configure/build steps. Especially when the version they use is a patched variant of some upstream source. This leads to a) duplication of libraries on the system and b) complications using different libraries together as the dependencies may conflict with each other -> ODR violations and similar. Hence we (the community behind the "build software") spend considerable effort in making such software use the already installed (sometimes called "system") libraries. So bundling something like zlib with Boost not only increases the maintenance cost of Boost as now it would be our responsibilityto make sure all security patches are applied (at the same time security patches to the system or otherwise installed libraries are not included until a new Boost release) but also may lead to subtile failures in consumers. For use cases like using a specific version of some specific library in an environment where compatibility between libs is otherwise handled it is nowadays trivial to get the source of that library as most are available on e.g. GitHub using version tags. In fact that is how it is done on those HPC systems: Sources get downloaded from known, fixed locations and verified against checksums to ensure reproducibility and authenticity. Alex