2016-03-01 18:00 GMT+01:00 Carlos Garnacho <carl...@gnome.org>:
> Hi Michael,
>
> On Tue, Mar 1, 2016 at 4:52 PM, Michael Biebl <mbi...@gmail.com> wrote:
>> Hi everyone,
>>
>> I just noticed that the new tracker 1.6.2 contains a code copy of
>> sqlite and no longer allows one to use the system sqlite library.
>> This is problematic for various reasons and distros like Debian [1]
>> and Fedora strongly discourage such code copies.
>>
>> Would it be possible to re-add the ability to link against the system
>> sqlite and only fall back to the embedded copy if the system library
>> doesn't meet the requirements of tracker (and output a big fat warning
>> in this case)?
>
> Not sure if you missed the action caused by sqlite 3.11. From that
> version on, they've hidden by default a sql function that's
> indispensable for us.
>
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7036
Seems I missed that, indeed. Most likely because of:
sqlite3 (3.11.0-2) unstable; urgency=low
* Compile with SQLITE_ENABLE_FTS3_TOKENIZER for backwards compatibility
(closes: #815499).
* Update Standards-Version to 3.9.7 .
-- Laszlo Boszormenyi (GCS) <g...@debian.org> Tue, 23 Feb 2016 21:31:39 +0100
So this particular change was reverted in Debian.
> Tracker itself is not hit by this cve, but we've evidently become
> colateral damage since this is removed by default.
>
> The embedded copy solution has only been done on current stable
> releases (1.4 and 1.6). It's not one I'm too happy with. But it's
> surely better than requiring -DSQLITE_ENABLE_FTS3_TOKENIZER
> system-wide (partly why I just went for always using the embedded
> copy, this is something distros don't want enabled). For master (and
> upcoming 1.8), I've opted for using FTS5 (which doesn't have this
> problem), and still rely on the system sqlite library.
>
> I understand and share your concerns, but this is kind of a rough spot
> we're on :).
Has there been any discussion with sqlite upstream to solve that
differently? I mean breaking consumers of the sqlite APIs can't be the
proper fix for that.
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
_______________________________________________
tracker-list mailing list
tracker-list@gnome.org
https://mail.gnome.org/mailman/listinfo/tracker-list
