Bug#871647: upx-ucl: uses convenience copy of LZMA library
Hi Robert,
>> Neither the changelog entry nor README.{Debian,source} contain
>> any justification, however.
>
>The justification is simple and obvious: current upx does not compile
>with the current lzma-dev.
that could be fine, depending on the circumstances, but needs
to be documented.
>Also let me quote the following upstream note from
>stub/src/c/Makevars.lzma file in upx source code:
>
> # UPX unconditionally uses its own version in src/lzma-sdk because
> # that version works fine since 2006 and that is the only version
> # that is actually sufficiently tested!!!
This, however, is something *every* upstream says. Only in very
select few circumstances (rsync’s patched zlib) is this true and
not replaceable, though; others merely wish for “the user having
the same libraries everywhere” and thus bundle, say, vulnerable
versions of libfreetype.
Sure, the LZMA libraries in Debian may offer a slightly different
API, but it can be adapted to work with it. You could even feed
that work upstream!
bye,
//mirabilos
--
11:56⎜«liwakura:#!/bin/mksh» also, i wanted to add mksh to my own distro │
i was disappointed that there is no makefile │ but somehow the Build.sh is
the least painful built system i've ever seen │ honours CC, {CPP,C,LD}FLAGS
properly │ looks cleary like done by someone who knows what they are doing
Bug#871647: upx-ucl: uses convenience copy of LZMA library
Thorsten Glaser writes:
>
> Apparently upx-ucl reverted from using the system LZMA library
> to its own.
First of all, lzma-sdk is not designed to be used as a library, so in
fact there is no such thing like "system LZMA library". Moreover upx is
not the only package that includes its own copy of LZMA, see e.g.
https://codesearch.debian.net/search?q=__LZMA_ENCODER_H&perpkg=1
> This, if not justified, is a Policy violation, for
> various reasons, including maintainability and security.
>
> Neither the changelog entry nor README.{Debian,source} contain
> any justification, however.
The justification is simple and obvious: current upx does not compile
with the current lzma-dev.
upx requires the following files:
compress_lzma.cpp:#include "C/Common/MyInitGuid.h"
compress_lzma.cpp:#include "C/7zip/Compress/LZMA/LZMAEncoder.h"
compress_lzma.cpp:#include "C/Common/Alloc.cpp"
compress_lzma.cpp:#include "C/Common/CRC.cpp"
compress_lzma.cpp:#include "C/7zip/Common/OutBuffer.cpp"
compress_lzma.cpp:#include "C/7zip/Common/StreamUtils.cpp"
compress_lzma.cpp:#include "C/7zip/Compress/LZ/LZInWindow.cpp"
compress_lzma.cpp:#include "C/7zip/Compress/LZMA/LZMAEncoder.cpp"
compress_lzma.cpp:#include "C/7zip/Compress/RangeCoder/RangeCoderBit.cpp"
compress_lzma.cpp:#include "C/7zip/Compress/LZMA_C/LzmaDecode.h"
compress_lzma.cpp:#include "C/7zip/Compress/LZMA_C/LzmaDecode.c"
stub/src/c/lzma_d_c.c:#include "C/7zip/Compress/LZMA_C/LzmaDecode.h"
stub/src/c/lzma_d_c.c:#include "C/7zip/Compress/LZMA_C/LzmaDecode.c"
while lzma-dev in Debian provides only:
/usr/include/lzma/LzmaDec.c
/usr/include/lzma/LzHash.h
/usr/include/lzma/LzFind.h
/usr/include/lzma/LzmaDec.h
/usr/include/lzma/LzmaEnc.h
/usr/include/lzma/7zVersion.h
/usr/include/lzma/LzmaEnc.c
/usr/include/lzma/LzFind.c
/usr/include/lzma/Types.h
Yes, I know that I can try to request adding new files into lzma-dev, as
it was done in past, see https://bugs.debian.org/452817, but at that
time upx source did not include copy of lzma, and now it does.
Also let me quote the following upstream note from
stub/src/c/Makevars.lzma file in upx source code:
# UPX unconditionally uses its own version in src/lzma-sdk because
# that version works fine since 2006 and that is the only version
# that is actually sufficiently tested!!!
Regards,
robert
Bug#871647: upx-ucl: uses convenience copy of LZMA library
Source: upx-ucl
Version: 3.93-1
Severity: serious
Justification: Policy §4.13
Control: found -1 3.94-2
Apparently upx-ucl reverted from using the system LZMA library
to its own. This, if not justified, is a Policy violation, for
various reasons, including maintainability and security.
Neither the changelog entry nor README.{Debian,source} contain
any justification, however.
