custom copies of libraries (was Re: [Caml-list] OCaml Labs)

custom copies of libraries (was Re: [Caml-list] OCaml Labs)

[Yoriyuki Yamagata]

2012/10/21 Ralf Treinen <treinen@free.fr>:
> avoiding custom copies of libraries that are published independently,

Completely off-topic, but is making custom copies so bad thing?  I
incline to include third-party's libraries into my libraries unless
the library is too big, so that the my libraries are compiled with
libraries whose behaviors are tested and guaranteed.

If we have a good package management system, things would be a bit
different, but still a package management system guarantees only, say,
that the version numbers of libraries are higher than XXXX, which does
not preclude many problems.

-- 
Yoriyuki Yamagata
yoriyuki.y@gmail.com

Re: custom copies of libraries (was Re: [Caml-list] OCaml Labs)

[Adrien]

Mozilla, a corporation with a budget around 100 million USD, does this
for firefox and other software. Obviously, it seems to be working.

It seems.

Earlier this year, it was discovered they hadn't updated their version
of cairo for that had a known security hole for 6 months.

There's also APNG support. Except it requires a specially-patched
libpng which mozilla also ships along with the sources of firefox.

In the firefox 16 sources, you will find at least the media/,
security/, nsprpub/, gfx/, modules/ directories which are full of
libraries, almost all 3rd party. These five directories total 145MB, a
fourth of the total size of the firefox sources. The bz2 archive of
firefox is 86MB while the bz2 archive of thunderbird is 107MB and most
of the data probably overlaps.

Mozilla, with more than a hundred million USD has issues with it. I
think it's quite telling.

In the OCaml world, there used to be the Caml Development Kit (CDK): a
bundle of libraries you could include in your tarballs in order to not
depend on the libraries from the system. While things are different
for OCaml (static linking mainly), it still costs in size, compilation
time, maintainability, upgradability.

By including and preferring local copies of libraries, you make
integration, upgrades, maintenance harder. And when _you_ stop doing
it, it gets awful for others.

There are many downsides while the right way to do it is  much
simpler! It can be documentation (README or INSTALL files) and/or
compile-time checks (checking for version X.Y.Z). If it doesn't match
your expectations but the API is still compatible, you can issue a
warning but avoid aborting the build. Nowadays, OCaml libraries are
widely-available, properly packaged, and usually rely on ocamlfind.
There is really no need to do make local copies.

-- 
Adrien Nader

Re: custom copies of libraries (was Re: [Caml-list] OCaml Labs)

[Ralf Treinen]

On Sun, Oct 21, 2012 at 08:45:53PM +0900, Yoriyuki Yamagata wrote:
> 2012/10/21 Ralf Treinen <treinen@free.fr>:
> > avoiding custom copies of libraries that are published independently,
> 
> Completely off-topic, but is making custom copies so bad thing?  I
> incline to include third-party's libraries into my libraries unless
> the library is too big, so that the my libraries are compiled with
> libraries whose behaviors are tested and guaranteed.

Adrien's message has explained very well the problem : it makes it
impossible to upgrade all installed copies of a library when it
becomes necessary. This is particularly bad when there is a security
problem with a certain version of a library. In other words, using
custom copies of libraries may be easier at the moment, but it
is not sustainable in the long run.

> If we have a good package management system, things would be a bit
> different, but still a package management system guarantees only, say,
> that the version numbers of libraries are higher than XXXX, which does
> not preclude many problems.

That depends on the kind of version constraints that your packaging system
allows for, and how you use them when you build a package for your 
application. Debian gives you the choice of version constraints
(<<, <=, >>, >=, ==, !=), and I imagine other packaging system do the
same. It is up to the packager to use the constraints that fit the best
for his case (or use the right tools that generate these).

Cheers -Ralf.

Re: custom copies of libraries (was Re: [Caml-list] OCaml Labs)

[Francois Berenger]

On 10/21/2012 08:45 PM, Yoriyuki Yamagata wrote:
> 2012/10/21 Ralf Treinen <treinen@free.fr>:
>> avoiding custom copies of libraries that are published independently,
>
> Completely off-topic, but is making custom copies so bad thing?  I
> incline to include third-party's libraries into my libraries unless
> the library is too big, so that the my libraries are compiled with
> libraries whose behaviors are tested and guaranteed.

Plus, when you do this, your software can be compiled and run right 
after checkout.

> If we have a good package management system, things would be a bit
> different, but still a package management system guarantees only, say,
> that the version numbers of libraries are higher than XXXX, which does
> not preclude many problems.

Re: custom copies of libraries (was Re: [Caml-list] OCaml Labs)

[Richard W.M. Jones]

On Sun, Oct 21, 2012 at 08:45:53PM +0900, Yoriyuki Yamagata wrote:
> 2012/10/21 Ralf Treinen <treinen@free.fr>:
> > avoiding custom copies of libraries that are published independently,
> 
> Completely off-topic, but is making custom copies so bad thing?

Yes.  It's a complete blocker for inclusion of your package
in any Fedora / RHEL derivative.

Rich.

-- 
Richard Jones
Red Hat

Re: custom copies of libraries (was Re: [Caml-list] OCaml Labs)

[Yoriyuki Yamagata]

To avoid a misunderstanding, I want to stress that Camomile does not
do this, except for the test scripts.  This is because Camomile is
older than most OCaml libraries currently in use, so I had to
implement most functionality from the scratch any ways :)

2012/10/28 Richard W.M. Jones <rich@annexia.org>:
>
> On Sun, Oct 21, 2012 at 08:45:53PM +0900, Yoriyuki Yamagata wrote:
>> 2012/10/21 Ralf Treinen <treinen@free.fr>:
>> > avoiding custom copies of libraries that are published independently,
>>
>> Completely off-topic, but is making custom copies so bad thing?
>
> Yes.  It's a complete blocker for inclusion of your package
> in any Fedora / RHEL derivative.
>
> Rich.
>
> --
> Richard Jones
> Red Hat

-- 
Yoriyuki　Yamagata
yoriyuki.y@gmail.com