One of the basic guidelines we have in Fedora is that a package should not link against a local copy of a library. Instead libraries should be included in the system and applications should link against that.[1]_
This is a lesson we learned from experience with C applications linking against their own copies of libraries which later had security issues. Hunting down all instances of these libraries and fixing each of them individually is a losing proposition. There are other reasons as well. For instance, applications that include their own copies of libraries are often tempted to apply their own bugfixes and feature enhancements to the library. That makes it harder to port the application to new versions of the library and runs counter to the open source philosophy of helping to improve the library for everyone. In the world of C applications and libraries, we don't often run into this problem anymore. Most C application developers have learned the same lessons we have. However, in the java, mono/.net, and web application worlds, this is a common practice. Sometimes our packagers find themselves trying to convince upstream to change what they do without success -- upstream is convinced that they need to include these local copies. I'd like to know if other distributions also consider separating libraries from applications to be a best practice. If so, would you be willing to collaborate on getting upstreams to see our point of view? Things we can do are to write down our justifications for doing this, letting upstream know that it isn't just one distribution that feels this way, offering to help upstreams code alternatives, offering to help forward port applications to new versions of libraries, and getting best practice recommendations changed to reflect this (for instance, this recommendation is made on the Mono site: http://www.mono-project.com/Assemblies_and_the_GAC#Libraries_with_Unstable_APIs ) .. _[1]: there's actually several guidelines that deal with different aspects of this: * The main guideline states that applications must not ship private versions of system libraries: http://fedoraproject.org/wiki/Packaging/Guidelines#Duplication_of_system_libraries * This guideline notes that static linking is only allowed in exceptional circumstances: http://fedoraproject.org/wiki/Packaging/Guidelines#Staticly_Linking_Executables * This guideline specifies that prebuilt libraries are not allowed. This often comes up in tandem with these problems as upstreams often ship prebuilt java jars, mono assemblies, or python eggs of their dependent libraries either with or in lieu of the library's source. http://fedoraproject.org/wiki/Packaging/Guidelines#No_inclusion_of_pre-built_binaries_or_libraries -Toshio
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Distributions mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/distributions
