home  bbs  files  messages ]

      ZZLI4422             linux.debian.devel             1179 messages      

[ previous | next | reply ]

[ list messages | list forums ]

  Msg # 10 of 1179 on ZZLI4422, Wednesday 11-04-25, 1:50  
  From: SIMON RICHTER  
  To: ADRIAN BUNK  
  Subj: Vendoring  
 12:43:55 
 tests= 
 2025 
 afd8- 
 From: sjr@debian.org 
  
 Hi Adrian, 
  
 On 11/4/25 9:03 PM, Adrian Bunk wrote: 
  
 [imgui] 
  
 > the ecosystem you mention is far more fringe in Debian than apt/sqv. 
  
 Yes, but growing, and a lot of the larger C++ packages like KiCad and 
 ngscopeclient come with a large set of vendored libraries, often with 
 custom patches and version-pinned. 
  
 The version pinning of dependencies is a further complication on top of 
 static linking. Handling statically linked binaries, tracking the source 
 that went into them, and recompiling when necessary is a solvable 
 technical challenge that can be largely automated, and the main problem 
 for slower ports is having enough compute power to recompile stuff often 
 (and enough RAM for the massive linker invocations). 
  
 For version-pinned libraries we have the additional complication that 
 the archive cannot easily keep multiple versions around, so right now we 
 ship those extra copies inside the .orig.tar, which breaks the 
 Static-Built-Using mechanism, and visibility for the security team. 
  
 One thing I'd like to do (as a technical solution) is to teach uscan to 
 pack submodules into separate archives following a naming convention 
 (e.g. ngscopeclient_0.1+dfsg.orig-vendor-imgui-git371ea56.tar.xz), which 
 at least makes them easy to scan for. 
  
 That has some minor technical issues though -- I'd like the essentially 
 use the output of git-archive verbatim for all the orig archives (so 
 these are reproducible), which precludes me from adding symlinks for the 
 actual paths where the submodules go to the directory that the 
 additional orig archive gets unpacked to. 
  
 > The result is not 100%, but it tends to cover most packages that 
 > are important in Debian or might have CVEs. 
  
 The worst offender is stb, which is used for parsing image formats, and 
 which we certainly have a few dozen copies of -- ngscopeclient alone 
 brings two. :\\ 
  
     Simon 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2) 
    

[ list messages | list forums | previous | next | reply ]

search for:

328,082 visits
(c) 1994,  bbs@darkrealms.ca