[Secure-testing-team] embedded library copies in monotone

Florian Weimer fw at deneb.enyo.de
Sun Oct 21 21:51:15 UTC 2007


* Zack Weinberg:

>> Well, you have to, because currently, upstream is in breach of the PCRE
>> license (haven't checked the other libraries).  See, if you use your own
>> private copies, you have to take care of all the nitty-gritty details
>> yourself.
>
> If you're talking about what I think you are (statement of licensing
> needed to be copied into the AUTHORS file), it has already been fixed.

Yepp, something along those lines.  I think you should add parts of the
AUTHORS file to debian/copyright, too.

>> I think your copy of SQLite is mostly unpatched, and libpcre3 has quite
>> a good track record as far as backwards compatibility is concerned (same
>> for SQLite).
>
> I think that's the case as well - but the principal concern here is
> not API breaks and not bugs clearly in the library or clearly in the
> application.  The principal concern is interaction bugs provoked by
> using the application with a version of the library that it has never
> been tested with.

We've got dependencies for that, as you noted below.

> PCRE is a special case: regular expressions are not needed for core
> functionality, and the autoconf logic to use an external version is
> already present -- but if we permit version skew in PCRE, people who
> do clever things in their .mtn-ignore files may have them work or not
> work depending on where they got their copy of monotone.

Yuck, that's right.  It's not just "clever things", it could be
mistakes.  For instance, if you used a "\Redundant" regular expression,
that's equivalent to "Redundant" in older PCRE versions (which might be
your true intention), but newer versions add \R as an escape sequence,
so the expression means something completely different.

I think you really should restrict users to some sane subset. 8-/

>> I can understand that upstream wants to bundle third-party sources, but
>> it's Debian policy to prefer system libraries over bundled copies.
>
> If Debian cannot tolerate monotone's unusual situation I will, with
> regret, have the package removed from Debian.

I don't see how Monotone's situation is so unusual.  I understand that
you got bitten in the past, but so have others.  But with the notable
exception of some of the Java folks, we tend to rely on system
libraries, even if they make some things harder (updates, for instance,
or testing).

> Your statement borders on an accusation of bad-faith behavior.  Please
> choose your words more carefully in the future.

Yes, it was over the top.  Sorry about that.  But if everyone shipped
private copies of libraries they are deeply concerned with, we'd run
into severe issues.  So I'm glad that you view the current state of
affairs as a starting point, and not the final packaging.



More information about the Secure-testing-team mailing list