On 13-10-2009, Stefano Zacchiroli <[email protected]> wrote: > On Mon, Oct 12, 2009 at 03:22:55PM +0000, Sylvain Le Gall wrote: >> I think it is a bit dangerous to have libX-ocaml v1.2 fullfill the >> dependencies of libX-ocaml-dev v1.3 if there is nothing detectable in >> the ABI checksum. > > I think we all agree on this point. > > At present, I can't find any single case in which using the new > mechanism open the flank to more risks than the old one. (Sure, I'm > blindly trusting the checksums here, but quick computations done by > Stephane show that we have a probability of collision of about 1.6e-8, > the probability of a dumb upstream author of releasing a new C library > breaking ABI without bumping the soname is waaaay higher than that :-)) >
I agree on this point, nothing to say more about this. The new system is to my mind quite safe (at least I don't see obvious reason that it can fail). However, my last point remain: making the package look like any other debian package when possible. This is the rule of the "least modification", so that we don't use too much special ways of handling deps. We have a lot of "leaf packages" in pkg-ocaml-maint, so avoiding intra-dependency checksum will reduce a lot the number of dependencies change. (this is not a technical reason, just a "low profile" in Debian reason). > [1] Actually, this is rather interesting. I'm surprised that upstream > has never thought about this: it would be terribly useful to store > in some part of the .so a checksum which is verified at runtime > before loading the .so. I guess there is a technical reason for not > having done that, but I can't find exactly which at the moment. > Maybe, the most simple example is a non-custom bytecode binary executable ? Let's choose headache as an example. headache use Unix, so it must load dllunix.so. If bytecode format doesn't change between OCaml 3.11 and 3.12, there is no reason to recompile headache, because it can still load dllunix.so. If we include checksum inside dllunix.so, headache will warn/exit with error, because it doesn't find the right checksum after upgrade to OCaml 3.12. N.B.: this is not our choice with the new dependency system, because we will force headache to recompile when 3.11 -> 3.12, even if it is not mandatory. Regards, Sylvain Le Gall -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
