On Tue, Sep 16, 2014 at 04:29:28PM -0300, Fernando de Oliveira wrote: > On 16-09-2014 12:49, Bruce Dubbs wrote: > > Fernando de Oliveira wrote: > > > >> The reason I modified it, was not just because I wanted to. > >> > >> During the discussions (dev and ticket, IIRC), it was mentioned not only > >> once that SQLite should be removed from Tcl, either because we do it > >> with other packages, or because ArchLinux developers do it. > > > > The first reason is good for consistency, but there can be exceptions. I > > don't like th esecond reason. Just be cause Arch does something, > > doesn't mean we should. What about Debian or RedHat or ...? > > Well, I searched about that and the only distribution that is not > considering tcl a dependency for sqlite and is not installing sqlite-tcl > (in the sense that I had included in the book) is BLFS. > > Debian, Gentoo, RedHat (Fedora), SUSE (they changed and ask in their > page to be name all capitals), Ubuntu, Arch and another one that I can't > remember all have sqlite-tcl. There is even many discussions about > "sqlite now depends on tcl?) > Thanks for doing the research. What really annoyed me on Monday was the local fixup I had to do to my scripts in a later commit [ I suppress static libs, anything using tcl needs the static lib to be made available, and I had overlooked that : that part is _my_ problem ] only to find, when I had built that part, that BLFS had reverted to how it used to be.
Now that you have said what you say above, I think this is very much a _potential_ security issue (if sqlite ever gets a vulnerability) and we should prevent it by using a shared system lib, i.e. by reverting the revert. Saying that "arch does it" is not necessarily a justification - at times, they seem to bleed more than we do (bleed as in "on the bleeding edge", getting problems), and I have mixed opinions on ubuntu. But if debian, gentoo, and fedora all do it then I think we should do the same. Sometimes, we make decisions too early - the one that always sticks in my mind was apng - I thought distros would follow the mozilla fork, but they didn't, so we are stuck with that decision: from time to time, firefox has been slow in picking up upstream png security fixes, at other times apng has been a little late - on balance using system apng has sometimes been better, but other times been worse. In the case of TCL and sqlite, using system sqlite looks like the best policy. Just to restate my policy for my own builds: if a package includes a library which is separately maintained, and part of BLFS, I use that package to provide a shared system lib. In other cases, where the external library appears to not have a separate/current upstream, I use the static library shipped with the package and hope that the package will fix any problems. > > > >> Then, I concluded we were facing a bug in BLFS and it should be > >> urgently fixed before the 7.6 release, and used ArchLinux as example. > > > > If the fix was trouble free, I don't have any objection, but it caused > > much more trouble than it was worth. > > I don't understand. Which troubles? > Bruce, please expand that comment. > > > >> The reversion I did yesterday is not my preferred one, just wanted to > >> run out of the problem. But in my particular machines, I will *remove* > >> SQLite from Tcl, because to the best of my knowledge, the own developers > >> fear it and *it is useless*, perhaps something they are developing for > >> future use. > > > > That's your choice of course, but I really don't think it matters either > > way. For consistency with the rest of BLFS, it appears to me that the real problem was the too-quick reversion. We have differences of opinion (and I seem to have more than most - e.g. I apparently pissed off Igor with my Mesa suggestions, because he only altered one part, and I've probably pissed off Ragnar with my comments on the epub dependency for okular), but _discussion_ is good, and its what this list is supposed to be for. If somebody makes a suggestion, unless it is obviously correct (and perhaps even then!) we should allow people to discuss it, and give it some thought, before acting. For security issues, we should fix it if we can, and then if somebody disagrees - even Bruce - we should discuss and allow contributions before reverting. Alternatively, one benevolent dictator could control it all : if that comes to pass, I *will* stop contributing. ĸen -- Nanny Ogg usually went to bed early. After all, she was an old lady. Sometimes she went to bed as early as 6 a.m. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
