On Sun, Jan 25, 2015 at 8:39 AM, Nico Schlömer <nico.schloe...@gmail.com>
wrote:
> Some would argue that bundling is evil [1]. Hence the obvious
> question: Why don't we simply depend on this software?
>
>
Good question! It depends (and some of the cases overlap):
* in some cases it's required (the Apple headers aren't available
elsewhere, xwax does not provide its timecoder as a library and doesn't
want to, fidlib is largely a dead project and not packaged by anyone except
Gentoo, replaygain is a simple code snippet shared on the web for over a
decade now and isn't thread safe. We had to hack it up. Some people have
packaged this code snippet into a Debian package -- it's not useful to us
in that form though)
* in some cases we want specific control over which version we include and
what patches we apply (soundtouch -- since distros are not reliable at
updated and applying critical patches we need, hidapi -- since the project
is rapidly evolving we often want to build from HEAD)
* in some cases there isn't a package in Debian (gtest/gmock and HIDAPI at
the time we added them were not available in Debian) or
Homebrew/Macports/etc.
* in some cases we want to make builds easier on OS X and Windows (the VAMP
SDK can be very tricky to get installed correctly -- especially via
homebrew/macports).
Also, the points from the article primarily apply to libraries, not
applications. Symbol collisions aren't going to happen, we don't have a
downstream, security isn't really important for us since we run as the user
and aren't setuid, etc. There are people who run Mixxx as root to bypass
permissions issues on their HID devices but that is definitely not advised.
Put simply, Mixxx is surely crawling with security issues -- bundling other
libraries is the least of our problems. If someone wanted to hack a Mixxx
user the attack surface is massive.
These are all pretty common reasons to bundle a dependency. Making builds
easier on Windows and Mac is actually a priority since it helps us grow our
developer team. One of my very talented friends -- a Linux kernel hacker --
was unable to get Mixxx building on OS X after 5 hours of work in
2010 (there were many more issues with our build system back then) so he
gave up instead of joining us. That was an illuminating experience for me
as to why our team was so small. The page you linked lists "Comforting
non-Linux users" as if that's a bad thing. We care about making
contributing easy!
Alex Barker (a Gentoo and Mixxx developer) has been poking us to switch
various dependencies to be optionally bundled (e.g. fidlib, soundtouch) and
that's totally reasonable. VAMP SDK is already optionally bundled. For the
reasons Daniel mentioned SoundTouch is kind of important to be done "right"
-- not that we necessarily do it right -- but we'd prefer to control
specifically what version we use since segfaults tickled in SoundTouch
affect our reputation and we get stuck in situations where users get
regular crashes on $DISTRO because they don't update SoundTouch regularly.
In general, these principles are nice if someone who works on the distro
actually cares about your dependency packages. If nobody cares then you can
email the maintainers of your package for literally years and not be able
to get help. A great example of this is the portmidi package in Debian [1].
It took nearly 2 years to get a 1-line bug in the Debian build script for
the package fixed. In the meantime this negatively affected our reputation
on Linux because Mixxx "crashed" regularly when using a MIDI controller. I
was considering switching to bundling PortMIDI because of this --
thankfully Alessio Treglia (our Debian maintainer) submitted a fix for the
package.
Hope this helps give some context for why we do "evil" things :),
RJ
[1] https://bugs.launchpad.net/mixxx/+bug/1097286 (note the dupes of the
bug date back to 2011)
> Cheers,
> Nico
>
>
> [1] http://wiki.gentoo.org/wiki/Why_not_bundle_dependencies
>
> On Sun, Jan 25, 2015 at 5:36 PM, RJ Ryan <russelljr...@gmail.com> wrote:
> > Hi Nico,
> >
> > Yes, the lib folder is where we stick code that we didn't write but
> include
> > in our binaries.
> >
> > apple: some Apple-provided headers needed for our CoreAudio decoder
> (MP3/AAC
> > support on OS X)
> >
> > fidlib : an audio filter construction library
> >
> > hidapi : a cross platform HID API
> >
> > replaygain : the standard replaygain example code, adapted slightly for
> C++
> >
> > soundtouch : a sound resampling library -- it frequently has critical
> > (segfault) bugs and so we don't use the distro versions because of the
> > slowness of distro updates.
> >
> > gtest/gmock are only for the tests
> >
> > vamp: a bundling of the vamp plugin SDK so that users don't have to
> install
> > it themselves (quite a pain on some platforms)
> >
> > xwax: xwax's timecoder, used for vinyl control
> >
> > Cheers
> > RJ
> >
> >
> >
> >
> > On Sun, Jan 25, 2015 at 8:22 AM, Nico Schlömer <nico.schloe...@gmail.com
> >
> > wrote:
> >>
> >> Hi all,
> >>
> >> When skimming through the mixxx sources, I found
> >> ```
> >> $ ls lib/
> >> apple fidlib-0.9.10 gmock-1.7.0 gtest-1.7.0 hidapi-0.8.0-pre
> >> replaygain soundtouch-1.8.0 vamp-2.3 xwax
> >> ```
> >> This looks like we're bundling third-party software. Do we?
> >>
> >> Cheers,
> >> Nico
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> >> GigeNET is offering a free month of service with a new server in
> Ashburn.
> >> Choose from 2 high performing configs, both with 100TB of bandwidth.
> >> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> >> http://p.sf.net/sfu/gigenet
> >> _______________________________________________
> >> Get Mixxx, the #1 Free MP3 DJ Mixing software Today
> >> http://mixxx.org
> >>
> >>
> >> Mixxx-devel mailing list
> >> Mixxx-devel@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/mixxx-devel
> >
> >
>
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Get Mixxx, the #1 Free MP3 DJ Mixing software Today
http://mixxx.org
Mixxx-devel mailing list
Mixxx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mixxx-devel
