On 16-09-2014 23:38, Ken Moffat wrote: > On Tue, Sep 16, 2014 at 04:29:28PM -0300, Fernando de Oliveira wrote: >> On 16-09-2014 12:49, Bruce Dubbs wrote: >>> Fernando de Oliveira wrote: >>>
>> >> Debian, Gentoo, RedHat (Fedora), SUSE (they changed and ask in their >> page to be name all capitals), Ubuntu, Arch and another one that I can't >> remember all have sqlite-tcl. There is even many discussions about >> "sqlite now depends on tcl?) >> > Thanks for doing the research. What really annoyed me on Monday > was the local fixup I had to do to my scripts in a later commit [ I > suppress static libs, anything using tcl needs the static lib to be > made available, and I had overlooked that : that part is _my_ > problem ] only to find, when I had built that part, that BLFS had > reverted to how it used to be. > > Now that you have said what you say above, I think this is very > much a _potential_ security issue (if sqlite ever gets a > vulnerability) and we should prevent it by using a shared system > lib, i.e. by reverting the revert. Saying that "arch does it" is > not necessarily a justification - at times, they seem to bleed more > than we do (bleed as in "on the bleeding edge", getting problems), > and I have mixed opinions on ubuntu. But if debian, gentoo, and > fedora all do it then I think we should do the same. > > Sometimes, we make decisions too early - the one that always sticks > in my mind was apng - I thought distros would follow the mozilla > fork, but they didn't, so we are stuck with that decision: from time > to time, firefox has been slow in picking up upstream png security > fixes, at other times apng has been a little late - on balance using > system apng has sometimes been better, but other times been worse. > > In the case of TCL and sqlite, using system sqlite looks like > the best policy. > > Just to restate my policy for my own builds: if a package includes > a library which is separately maintained, and part of BLFS, I use > that package to provide a shared system lib. In other cases, where > the external library appears to not have a separate/current > upstream, I use the static library shipped with the package and hope > that the package will fix any problems. OK. I will research deeply, to see exactly the instructions used. >>>> Then, I concluded we were facing a bug in BLFS and it should be >>>> urgently fixed before the 7.6 release, and used ArchLinux as example. >>> >>> If the fix was trouble free, I don't have any objection, but it caused >>> much more trouble than it was worth. >> >> I don't understand. Which troubles? >> > > Bruce, please expand that comment. >>> >>>> The reversion I did yesterday is not my preferred one, just wanted to >>>> run out of the problem. But in my particular machines, I will *remove* >>>> SQLite from Tcl, because to the best of my knowledge, the own developers >>>> fear it and *it is useless*, perhaps something they are developing for >>>> future use. >>> >>> That's your choice of course, but I really don't think it matters either >>> way. > > For consistency with the rest of BLFS, it appears to me that the > real problem was the too-quick reversion. We have differences of > opinion (and I seem to have more than most - e.g. I apparently > pissed off Igor with my Mesa suggestions, because he only altered > one part, and I've probably pissed off Ragnar with my comments on > the epub dependency for okular), but _discussion_ is good, and its > what this list is supposed to be for. > > If somebody makes a suggestion, unless it is obviously correct (and > perhaps even then!) we should allow people to discuss it, and give > it some thought, before acting. For security issues, we should fix > it if we can, and then if somebody disagrees - even Bruce - we > should discuss and allow contributions before reverting. I am willing to revert the reversal, after I am completely reassured, so it will be a technical only decision, and hope Bruce will not be upset (a comment by Bruce would be helpful, just to break the ice about this issue). Also other contributions to the discussion would help much ĸen and myself. -- []s, Fernando -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
