From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <camaradetux@gmail.com>
X-Original-To: caml-list@sympa.inria.fr
Delivered-To: caml-list@sympa.inria.fr
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82])
	by sympa.inria.fr (Postfix) with ESMTPS id 66B037EC41
	for <caml-list@sympa.inria.fr>; Sun, 21 Oct 2012 15:01:31 +0200 (CEST)
Received-SPF: None (mail1-smtp-roc.national.inria.fr: no sender
  authenticity information available from domain of
  camaradetux@gmail.com) identity=pra;
  client-ip=209.85.220.182;
  receiver=mail1-smtp-roc.national.inria.fr;
  envelope-from="camaradetux@gmail.com";
  x-sender="camaradetux@gmail.com";
  x-conformance=sidf_compatible
Received-SPF: Pass (mail1-smtp-roc.national.inria.fr: domain of
  camaradetux@gmail.com designates 209.85.220.182 as permitted
  sender) identity=mailfrom; client-ip=209.85.220.182;
  receiver=mail1-smtp-roc.national.inria.fr;
  envelope-from="camaradetux@gmail.com";
  x-sender="camaradetux@gmail.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Received-SPF: None (mail1-smtp-roc.national.inria.fr: no sender
  authenticity information available from domain of
  postmaster@mail-vc0-f182.google.com) identity=helo;
  client-ip=209.85.220.182;
  receiver=mail1-smtp-roc.national.inria.fr;
  envelope-from="camaradetux@gmail.com";
  x-sender="postmaster@mail-vc0-f182.google.com";
  x-conformance=sidf_compatible
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiACAGXxg1DRVdy2mGdsb2JhbABEwBAGcQgjAQEBAQEICQ0HFCeCHAUBAQQSAiwBGx0BAwwGBQs7IgERAQUBHAY1hSeCHwkBAw+dCQkDjCiCdoN5ChknDVmIdQEFDIt6hkgDjgaEOYMyjlgWKYQTgVo
X-IronPort-AV: E=Sophos;i="4.80,625,1344204000"; 
   d="scan'208";a="178198130"
Received: from mail-vc0-f182.google.com ([209.85.220.182])
  by mail1-smtp-roc.national.inria.fr with ESMTP/TLS/RC4-SHA; 21 Oct 2012 15:01:30 +0200
Received: by mail-vc0-f182.google.com with SMTP id fw7so3466064vcb.27
        for <caml-list@inria.fr>; Sun, 21 Oct 2012 06:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ve4arsJBvUF1LaSKNbgo6FWuDegubdlDXcpXTKcfKQo=;
        b=FlAhnCJ5IaVVDvT0HK17x+vTIi1Hp2AGdZruO1NpRXLRU86Cpxud3ZCuKCmmOpThUw
         A5oVon9X1XdS4Q72D1wxvcp8zxWpnnjy7ry+04zqmnSYoXQc5tqcHM+INlhi/bmfv45i
         Fz2e1TxfIvgtW63qAsIlAbwpovnQAGgIZJ2vcAxrIM6EVFgwsRkHYEZgP9wSetfv7/ey
         /zSsP9LH43qSovTBX0I38GQhpCKpFVCsxBTuLotnxrVdOLL/Yd95sEMiiJCKxW8X6sAR
         Cx7jx/ApXaHnyTNxIqPZ7I3K7vmEyoeodpW4U2snRZ1mAItTI8QYh3x/VpfPS6ge7TTG
         M3QA==
MIME-Version: 1.0
Received: by 10.52.95.34 with SMTP id dh2mr7920562vdb.69.1350824489686; Sun,
 21 Oct 2012 06:01:29 -0700 (PDT)
Received: by 10.52.33.82 with HTTP; Sun, 21 Oct 2012 06:01:29 -0700 (PDT)
In-Reply-To: <CALdQWQ46M2hUtsscNueW0BD99pLnYJ2JwbrPFTROg1dJQgQEbg@mail.gmail.com>
References: <CALdQWQ46M2hUtsscNueW0BD99pLnYJ2JwbrPFTROg1dJQgQEbg@mail.gmail.com>
Date: Sun, 21 Oct 2012 15:01:29 +0200
Message-ID: <CAP5QFJ=hGt8w5OrnjvLFFrN+n2jhNiCQL4SJ33HvGMd4EPPAEA@mail.gmail.com>
From: Adrien <camaradetux@gmail.com>
To: Yoriyuki Yamagata <yoriyuki.y@gmail.com>
Cc: Ralf Treinen <treinen@free.fr>, OCaml mailing list <caml-list@inria.fr>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: custom copies of libraries (was Re: [Caml-list] OCaml Labs)

Mozilla, a corporation with a budget around 100 million USD, does this
for firefox and other software. Obviously, it seems to be working.

It seems.

Earlier this year, it was discovered they hadn't updated their version
of cairo for that had a known security hole for 6 months.

There's also APNG support. Except it requires a specially-patched
libpng which mozilla also ships along with the sources of firefox.

In the firefox 16 sources, you will find at least the media/,
security/, nsprpub/, gfx/, modules/ directories which are full of
libraries, almost all 3rd party. These five directories total 145MB, a
fourth of the total size of the firefox sources. The bz2 archive of
firefox is 86MB while the bz2 archive of thunderbird is 107MB and most
of the data probably overlaps.

Mozilla, with more than a hundred million USD has issues with it. I
think it's quite telling.

In the OCaml world, there used to be the Caml Development Kit (CDK): a
bundle of libraries you could include in your tarballs in order to not
depend on the libraries from the system. While things are different
for OCaml (static linking mainly), it still costs in size, compilation
time, maintainability, upgradability.

By including and preferring local copies of libraries, you make
integration, upgrades, maintenance harder. And when _you_ stop doing
it, it gets awful for others.

There are many downsides while the right way to do it is  much
simpler! It can be documentation (README or INSTALL files) and/or
compile-time checks (checking for version X.Y.Z). If it doesn't match
your expectations but the API is still compatible, you can issue a
warning but avoid aborting the build. Nowadays, OCaml libraries are
widely-available, properly packaged, and usually rely on ocamlfind.
There is really no need to do make local copies.

-- 
Adrien Nader