Quoting Adrian Bunk (2020-12-19 10:17:04) > On Fri, Dec 18, 2020 at 05:12:53PM +0100, Jonas Smedegaard wrote: > > Quoting Adrian Bunk (2020-12-18 15:36:23) > > > On Fri, Dec 18, 2020 at 01:33:33PM +0100, Jonas Smedegaard wrote: > > > > It is indeed not realistic to fit all fast-changing code > > > > projects into Debian. We have made a few fast-paced projects > > > > like Firefox fit, but in my opinion we did that in a problematic > > > > way: By endorsing embedded code copies, which is painful to > > > > maintain. > > > > > > > > I think we should not relax our rules, but (improve our packages > > > > so that we can) tighten our rules to apply more consistently - > > > > e.g. avoid embedded code copies also in Firefox. > > > > > > Embedded code copies are the smallest problem with Firefox, and on > > > that I would actually trust Mozilla to release fixes quickly. > > > > I do trust Mozilla to release fixes quickly - my point was a > > different one: Mozilla and Google and GNOME and KDE each being quick > > to release fixes for libusrsctp or some other embedded library is > > still different from linking with a shared copy. > > Firefox in unstable is mostly using shared libraries, in (old)stable > it is using some static libraries because Firefox wants more recent > versions than are in the distribution. > > The big problem is that Firefox is not security supportable without > upgrading to new upstream versions that are not on the same stable > branch, such software is not suitable for distributions with security > supported stable series like Debian or Ubuntu.
Yes, Firefox initially use system-shared libraries and use locally embedded copies only when needed. Similar for Chromium and other packages (to a varying degree of "when needed"). Yes, keeping the application security supportable in a stable environment is the big problem. My point is that we currently address that big problem by effectively encourage locally embedding code copies, as our way of addressing that big problem: Firefox and Chromium are packaged as a single big self-contained thing including its web rendering engine, and can be security-maintained; Epiphany (a.k.a. GNOME Web) and other web browsers are packaged without embedding their web rendering engine, and those (webkitgtk and qtwebengine-opensource-src) loose security support. Firefox is not badly packaged. It works! But it works in a way that does not scale well - and I find it worrisome if big popular projects get preferential treatment in Debian. Possibly they don't. Possibly if 10 or 50 other packages began including local copies of library code to not _need_ to depend on system-shared code at a later stage of their lifecycle in Debian, we would happily accept that. But I highly doubt that, and it feels backwards to me to do it. janus is a fast-paced package. It links with libusrsctp and libsrtp2, and some upgrades require upgrades to those other libraries as well. Should I embed copies of those libraries into src:janus to ease a later upgrade while in stable Debian? Firefox and Chromium and webkitgtk and qtwebengine-opensource-src embed libusrsctp and libsrtp2. It works, and addressed "the big problem", but I think we should not undermine but find ways to embrace Debian Policy [§4.13]: > Some software packages include in their distribution convenience > copies of code from other software packages, generally so that users > compiling from source don’t have to download multiple packages. Debian > packages should not make use of these convenience copies unless the > included package is explicitly intended to be used in this way. If the > included code is already in the Debian archive in the form of a > library, the Debian packaging should ensure that binary packages > reference the libraries already in Debian and the convenience copy is > not used. If the included code is not already in Debian, it should be > packaged separately as a prerequisite if possible. - Jonas [§4.13]: https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
