On Mon, Aug 26, 2013 at 1:13 PM, Florian Weimer <[email protected]> wrote:
> But there is a class of users who want documentation for *any* change. > I'm not sure how they will react to, say, a TLS library update that > comes with the library update *and* most packages in the distribution > which have been "rebuilt due to a change in dependencies". > Why on earth would you do *that*? It wouldn't work, since different changes would lead to different recompilations, and the supplier of a given update doesn't have access to all of the dependent libraries. I'm familiar with the class of user you cite. Their concern has merit in many situations, but the compiler is inherently part of the TCB of any system. A recompile, as distinct from a source code change, isn't the kind of think they should be worried about. I understand that they *will* worry about it, but I have no sympathy for that concern [1,2] and won't admit it as a design criteria. The same people have no objection to this recompile when it is performed by the JIT engine, so too damned bad. [1] There is a potentially legitimate concern about trojans exploiting compiler bugs, but that's not what these users are thinking about. [2] There is a *totally* legitimate concern about validation and testing for critical apps. Such apps may need to be marked in some fashion as "do not rebuild". But the countervailing concern is that applications marked in this way cannot be trusted from a security perspective, because one of their impacts is to ensure the retention of security holes. But to be clear, my assumption is that the recompile happens on the system that is the target of install, and is performed by an AOT compiler that is a core component of that system. Since the party shipping the change cannot have any idea what libraries are installed on your machine, there is no way for them to do all of the necessary recompiles. > There's also an expectation that you only have to do detailed QA on > changed components—which is, of course, an unsafe assumption, just > like updating a DSO written in C without recompiling all reverse > dependencies. Yup. And there's an expectation that *I* won't get cancer if I smoke, even though everybody else does. The two expectations have similar merit. shap
_______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
