[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#57840: rust-sqlite3-src bundles sqlite3
|
From: |
Maxime Devos |
|
Subject: |
bug#57840: rust-sqlite3-src bundles sqlite3 |
|
Date: |
Thu, 15 Sep 2022 23:22:09 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 |
X-Debbugs-CC: Aleksandr Vityazev <avityazev@posteo.org>
X-Debbugs-CC: Nicolas Goaziou <mail@nicolasgoaziou.fr>
(^ the pseudo-header, IIUC)
The patch series 53315 by Aleksandr Vityazev and accepted by Nicolas
Goaziou adds a crate rust-sqlite3-src that bundles sqlite3.
Bundling is against Guix policy for the reasons explained in the manual
I ask to:
(a) Remove the bundled copy (and if needed, adjust build.rs to always
do the pkg-config)
or
(b) Remove rust-sqlite3-src and dependents.
Additionally, for the future, I ask to check packages for bundling, and
recommend the following tricks for detecting bundling:
* if a crate name ends with -sys, there is a good chance it bundles
things
* likewise, if the synopsis or description mentions 'Bindings',
there's a good chance it bundles things.
* if a crate name contains some variation of the word 'source'
(e.g., -src), that can indicate bundling.
* if the Cargo.toml mentions 'bundled', 'system' or 'vendor' its
[features], it is bundling things.
* if the source code of a Rust package contains a .c or .h file,
it's likely bundling things
I would like to note that the bundled copy (version 3.34.1) has known
bugs that were fixed in later versions (including a CVE), according to
the changelog on the sqlite website.
Greetings,
Maxime
OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
- bug#57840: rust-sqlite3-src bundles sqlite3,
Maxime Devos <=