On Monday, 10 April 2017 at 12:59:37 UTC, Matthias Klumpp wrote:
Who came up with those policies and decided that they apply to
D? Because I really don't think they should.
They are the result of years of experience in building complex
systems and keeping them secure.
If you have a dependency chain "X -> Y -> Z" (-> meaning
"depends on"), and you find a security bug in Z, you the
security team will just need to fix the bug in Z to resolve it
in the whole distribution.
But if the code which has this issue is compiled into all of
the packages that depend on them, you will need to rebuild the
full dependency chain to actually fix the security issue, which
is not only time intensive but also a huge maintenance effort.
In this simple example it doesn't look like much, but those
dependency chains can grow massively large and complicated, and
the only way to keep the large software stack maintainable and
secure is by splitting pieces cleanly.
Embedded code copies are allowed in rare events, but in these
cases the security team needs to be aware of them.
Sometimes, the licenses also explicitly prevent embedded code
copies.
Aside from these issues, splitting things cleanly also makes
general package maintenance much easier, and adds flexibility
for our users who can mix and match parts of the distribution
as they like and combine them with their own code.
No, I understand all of this. What I'm saying that in the case of
D, these rules, though making sense, will just not work. You
can't replace a piece of code in a template instantiation in a
compiled program, shared libraries and stable ABI or not.
You need to see here that D is not the center of the world and
we will need to make it work nicely with the rest of the system.
The opposite is also true: requiring a stable shared library API
of every packaged D library is just as unreasonable. In fact, to
make these rules useful and applicable to all D programs, you'd
have to completely forbid templates in the library's public
interface, which would immediately exclude Phobos for one.
