Bug#871647: upx-ucl: uses convenience copy of LZMA library
Hi Robert, >> Neither the changelog entry nor README.{Debian,source} contain >> any justification, however. > >The justification is simple and obvious: current upx does not compile >with the current lzma-dev. that could be fine, depending on the circumstances, but needs to be documented. >Also let me quote the following upstream note from >stub/src/c/Makevars.lzma file in upx source code: > > # UPX unconditionally uses its own version in src/lzma-sdk because > # that version works fine since 2006 and that is the only version > # that is actually sufficiently tested!!! This, however, is something *every* upstream says. Only in very select few circumstances (rsync’s patched zlib) is this true and not replaceable, though; others merely wish for “the user having the same libraries everywhere” and thus bundle, say, vulnerable versions of libfreetype. Sure, the LZMA libraries in Debian may offer a slightly different API, but it can be adapted to work with it. You could even feed that work upstream! bye, //mirabilos -- 11:56⎜«liwakura:#!/bin/mksh» also, i wanted to add mksh to my own distro │ i was disappointed that there is no makefile │ but somehow the Build.sh is the least painful built system i've ever seen │ honours CC, {CPP,C,LD}FLAGS properly │ looks cleary like done by someone who knows what they are doing
Bug#871647: upx-ucl: uses convenience copy of LZMA library
Thorsten Glaser writes: > > Apparently upx-ucl reverted from using the system LZMA library > to its own. First of all, lzma-sdk is not designed to be used as a library, so in fact there is no such thing like "system LZMA library". Moreover upx is not the only package that includes its own copy of LZMA, see e.g. https://codesearch.debian.net/search?q=__LZMA_ENCODER_H&perpkg=1 > This, if not justified, is a Policy violation, for > various reasons, including maintainability and security. > > Neither the changelog entry nor README.{Debian,source} contain > any justification, however. The justification is simple and obvious: current upx does not compile with the current lzma-dev. upx requires the following files: compress_lzma.cpp:#include "C/Common/MyInitGuid.h" compress_lzma.cpp:#include "C/7zip/Compress/LZMA/LZMAEncoder.h" compress_lzma.cpp:#include "C/Common/Alloc.cpp" compress_lzma.cpp:#include "C/Common/CRC.cpp" compress_lzma.cpp:#include "C/7zip/Common/OutBuffer.cpp" compress_lzma.cpp:#include "C/7zip/Common/StreamUtils.cpp" compress_lzma.cpp:#include "C/7zip/Compress/LZ/LZInWindow.cpp" compress_lzma.cpp:#include "C/7zip/Compress/LZMA/LZMAEncoder.cpp" compress_lzma.cpp:#include "C/7zip/Compress/RangeCoder/RangeCoderBit.cpp" compress_lzma.cpp:#include "C/7zip/Compress/LZMA_C/LzmaDecode.h" compress_lzma.cpp:#include "C/7zip/Compress/LZMA_C/LzmaDecode.c" stub/src/c/lzma_d_c.c:#include "C/7zip/Compress/LZMA_C/LzmaDecode.h" stub/src/c/lzma_d_c.c:#include "C/7zip/Compress/LZMA_C/LzmaDecode.c" while lzma-dev in Debian provides only: /usr/include/lzma/LzmaDec.c /usr/include/lzma/LzHash.h /usr/include/lzma/LzFind.h /usr/include/lzma/LzmaDec.h /usr/include/lzma/LzmaEnc.h /usr/include/lzma/7zVersion.h /usr/include/lzma/LzmaEnc.c /usr/include/lzma/LzFind.c /usr/include/lzma/Types.h Yes, I know that I can try to request adding new files into lzma-dev, as it was done in past, see https://bugs.debian.org/452817, but at that time upx source did not include copy of lzma, and now it does. Also let me quote the following upstream note from stub/src/c/Makevars.lzma file in upx source code: # UPX unconditionally uses its own version in src/lzma-sdk because # that version works fine since 2006 and that is the only version # that is actually sufficiently tested!!! Regards, robert
Bug#871647: upx-ucl: uses convenience copy of LZMA library
Source: upx-ucl Version: 3.93-1 Severity: serious Justification: Policy §4.13 Control: found -1 3.94-2 Apparently upx-ucl reverted from using the system LZMA library to its own. This, if not justified, is a Policy violation, for various reasons, including maintainability and security. Neither the changelog entry nor README.{Debian,source} contain any justification, however.