Bug#871647: upx-ucl: uses convenience copy of LZMA library

Thu, 10 Aug 2017 12:57:54 -0700 

Thorsten Glaser writes:

> 
> Apparently upx-ucl reverted from using the system LZMA library
> to its own.

First of all, lzma-sdk is not designed to be used as a library, so in
fact there is no such thing like "system LZMA library". Moreover upx is
not the only package that includes its own copy of LZMA, see e.g.
https://codesearch.debian.net/search?q=__LZMA_ENCODER_H&perpkg=1

> This, if not justified, is a Policy violation, for
> various reasons, including maintainability and security.
> 
> Neither the changelog entry nor README.{Debian,source} contain
> any justification, however.

The justification is simple and obvious: current upx does not compile
with the current lzma-dev.

upx requires the following files:

  compress_lzma.cpp:#include "C/Common/MyInitGuid.h"
  compress_lzma.cpp:#include "C/7zip/Compress/LZMA/LZMAEncoder.h"
  compress_lzma.cpp:#include "C/Common/Alloc.cpp"
  compress_lzma.cpp:#include "C/Common/CRC.cpp"
  compress_lzma.cpp:#include "C/7zip/Common/OutBuffer.cpp"
  compress_lzma.cpp:#include "C/7zip/Common/StreamUtils.cpp"
  compress_lzma.cpp:#include "C/7zip/Compress/LZ/LZInWindow.cpp"
  compress_lzma.cpp:#include "C/7zip/Compress/LZMA/LZMAEncoder.cpp"
  compress_lzma.cpp:#include "C/7zip/Compress/RangeCoder/RangeCoderBit.cpp"
  compress_lzma.cpp:#include "C/7zip/Compress/LZMA_C/LzmaDecode.h"
  compress_lzma.cpp:#include "C/7zip/Compress/LZMA_C/LzmaDecode.c"
  stub/src/c/lzma_d_c.c:#include "C/7zip/Compress/LZMA_C/LzmaDecode.h"
  stub/src/c/lzma_d_c.c:#include "C/7zip/Compress/LZMA_C/LzmaDecode.c"

while lzma-dev in Debian provides only:

  /usr/include/lzma/LzmaDec.c
  /usr/include/lzma/LzHash.h
  /usr/include/lzma/LzFind.h
  /usr/include/lzma/LzmaDec.h
  /usr/include/lzma/LzmaEnc.h
  /usr/include/lzma/7zVersion.h
  /usr/include/lzma/LzmaEnc.c
  /usr/include/lzma/LzFind.c
  /usr/include/lzma/Types.h

Yes, I know that I can try to request adding new files into lzma-dev, as
it was done in past, see https://bugs.debian.org/452817, but at that
time upx source did not include copy of lzma, and now it does.

Also let me quote the following upstream note from
stub/src/c/Makevars.lzma file in upx source code:

  # UPX unconditionally uses its own version in src/lzma-sdk because
  # that version works fine since 2006 and that is the only version
  # that is actually sufficiently tested!!!

Regards,
robert

Reply via email to