Thanks Ryan for the explanation; knowing the open-source software world, I very much sympathize with you. The reason I was asking about the bundling is that it makes packaging and application sometimes hard, for example because one has to patch around the build system to make sure the system library XYZ is used instead of the bundled one.
An alternative to bundling third-party with the Mixxx sources would be to create a second repository by the name of, say, mixxx-installer, which pulls all of Mixxx's dependencies from a set of specified sources, e.g., GitHub, then builds and installs it. If we fork other projects and apply our patches, this would also make clearer what we do and ease the process of shoving our changes upstream. (At least that's my experience.) Cheers, Nico On Sun, Jan 25, 2015 at 6:53 PM, RJ Ryan <russelljr...@gmail.com> wrote: > On Sun, Jan 25, 2015 at 8:39 AM, Nico Schlömer <nico.schloe...@gmail.com> > wrote: >> >> Some would argue that bundling is evil [1]. Hence the obvious >> question: Why don't we simply depend on this software? >> > > Good question! It depends (and some of the cases overlap): > > * in some cases it's required (the Apple headers aren't available elsewhere, > xwax does not provide its timecoder as a library and doesn't want to, fidlib > is largely a dead project and not packaged by anyone except Gentoo, > replaygain is a simple code snippet shared on the web for over a decade now > and isn't thread safe. We had to hack it up. Some people have packaged this > code snippet into a Debian package -- it's not useful to us in that form > though) > * in some cases we want specific control over which version we include and > what patches we apply (soundtouch -- since distros are not reliable at > updated and applying critical patches we need, hidapi -- since the project > is rapidly evolving we often want to build from HEAD) > * in some cases there isn't a package in Debian (gtest/gmock and HIDAPI at > the time we added them were not available in Debian) or > Homebrew/Macports/etc. > * in some cases we want to make builds easier on OS X and Windows (the VAMP > SDK can be very tricky to get installed correctly -- especially via > homebrew/macports). > > Also, the points from the article primarily apply to libraries, not > applications. Symbol collisions aren't going to happen, we don't have a > downstream, security isn't really important for us since we run as the user > and aren't setuid, etc. There are people who run Mixxx as root to bypass > permissions issues on their HID devices but that is definitely not advised. > Put simply, Mixxx is surely crawling with security issues -- bundling other > libraries is the least of our problems. If someone wanted to hack a Mixxx > user the attack surface is massive. > > These are all pretty common reasons to bundle a dependency. Making builds > easier on Windows and Mac is actually a priority since it helps us grow our > developer team. One of my very talented friends -- a Linux kernel hacker -- > was unable to get Mixxx building on OS X after 5 hours of work in 2010 > (there were many more issues with our build system back then) so he gave up > instead of joining us. That was an illuminating experience for me as to why > our team was so small. The page you linked lists "Comforting non-Linux > users" as if that's a bad thing. We care about making contributing easy! > > Alex Barker (a Gentoo and Mixxx developer) has been poking us to switch > various dependencies to be optionally bundled (e.g. fidlib, soundtouch) and > that's totally reasonable. VAMP SDK is already optionally bundled. For the > reasons Daniel mentioned SoundTouch is kind of important to be done "right" > -- not that we necessarily do it right -- but we'd prefer to control > specifically what version we use since segfaults tickled in SoundTouch > affect our reputation and we get stuck in situations where users get regular > crashes on $DISTRO because they don't update SoundTouch regularly. > > In general, these principles are nice if someone who works on the distro > actually cares about your dependency packages. If nobody cares then you can > email the maintainers of your package for literally years and not be able to > get help. A great example of this is the portmidi package in Debian [1]. It > took nearly 2 years to get a 1-line bug in the Debian build script for the > package fixed. In the meantime this negatively affected our reputation on > Linux because Mixxx "crashed" regularly when using a MIDI controller. I was > considering switching to bundling PortMIDI because of this -- thankfully > Alessio Treglia (our Debian maintainer) submitted a fix for the package. > > Hope this helps give some context for why we do "evil" things :), > RJ > > [1] https://bugs.launchpad.net/mixxx/+bug/1097286 (note the dupes of the bug > date back to 2011) > > >> >> Cheers, >> Nico >> >> >> [1] http://wiki.gentoo.org/wiki/Why_not_bundle_dependencies >> >> On Sun, Jan 25, 2015 at 5:36 PM, RJ Ryan <russelljr...@gmail.com> wrote: >> > Hi Nico, >> > >> > Yes, the lib folder is where we stick code that we didn't write but >> > include >> > in our binaries. >> > >> > apple: some Apple-provided headers needed for our CoreAudio decoder >> > (MP3/AAC >> > support on OS X) >> > >> > fidlib : an audio filter construction library >> > >> > hidapi : a cross platform HID API >> > >> > replaygain : the standard replaygain example code, adapted slightly for >> > C++ >> > >> > soundtouch : a sound resampling library -- it frequently has critical >> > (segfault) bugs and so we don't use the distro versions because of the >> > slowness of distro updates. >> > >> > gtest/gmock are only for the tests >> > >> > vamp: a bundling of the vamp plugin SDK so that users don't have to >> > install >> > it themselves (quite a pain on some platforms) >> > >> > xwax: xwax's timecoder, used for vinyl control >> > >> > Cheers >> > RJ >> > >> > >> > >> > >> > On Sun, Jan 25, 2015 at 8:22 AM, Nico Schlömer >> > <nico.schloe...@gmail.com> >> > wrote: >> >> >> >> Hi all, >> >> >> >> When skimming through the mixxx sources, I found >> >> ``` >> >> $ ls lib/ >> >> apple fidlib-0.9.10 gmock-1.7.0 gtest-1.7.0 hidapi-0.8.0-pre >> >> replaygain soundtouch-1.8.0 vamp-2.3 xwax >> >> ``` >> >> This looks like we're bundling third-party software. Do we? >> >> >> >> Cheers, >> >> Nico >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. >> >> GigeNET is offering a free month of service with a new server in >> >> Ashburn. >> >> Choose from 2 high performing configs, both with 100TB of bandwidth. >> >> Higher redundancy.Lower latency.Increased capacity.Completely >> >> compliant. >> >> http://p.sf.net/sfu/gigenet >> >> _______________________________________________ >> >> Get Mixxx, the #1 Free MP3 DJ Mixing software Today >> >> http://mixxx.org >> >> >> >> >> >> Mixxx-devel mailing list >> >> Mixxx-devel@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/mixxx-devel >> > >> > > > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Get Mixxx, the #1 Free MP3 DJ Mixing software Today http://mixxx.org Mixxx-devel mailing list Mixxx-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mixxx-devel
