[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] bundled libs
|
From: |
Nathaniel Smith |
|
Subject: |
Re: [Monotone-devel] bundled libs |
|
Date: |
Sat, 19 Nov 2005 05:13:50 -0800 |
|
User-agent: |
Mutt/1.5.9i |
On Sat, Nov 19, 2005 at 11:44:27AM +0100, Lapo Luchini wrote:
> OK, disk space is cheap, but I was wondering... why building
> (exclusively) with a bundled popt, a bundled LUA, a bundled sqlite and a
> bundled botan?
> All of three have got critical flaws whose patches were not accepted
> upstream?
> Or "just to be on the safe side"?
> Personally I much prefer to use shared libraries instead of big static
> build, I guess it's a matter of taste, but I was wondering if there was
> any "strong" reason behind it.
They've all had such critical flaws at some point or another, yeah,
and switching back and forth is too much effort.
At the current moment, IIRC popt has a bunch of critical fixes to
support -@ (not included upstream, because upstream is dead), LUA
dikes out some functions that would be insecure, sqlite is currently
unpatched, and botan may or may not have memory allocator patches (the
fixes were taken upstream, but I don't know if we've moved to that
upstream version yet).
You forget netxx, which is also abandoned upstream and has some local
error handling enhancements.
Overall, it's just a tradeoff; the amount of pain it would take to
deal with supporting whatever random versions people happened to have
lying around is too high a cost, when we have so many more important
problems to work on.
Cheers,
-- Nathaniel
--
The Universe may / Be as large as they say
But it wouldn't be missed / If it didn't exist.
-- Piet Hein