Re: [ardour-dev] ardour

To: Josselin Mouette <josselin.mouette@ens-lyon.org>
Cc: debian-devel@lists.debian.org, ardour-dev@lists.sourceforge.net
Subject: Re: [ardour-dev] ardour
From: Paul Davis <pbd@op.net>
Date: Wed, 11 Sep 2002 18:46:49 -0400
Message-id: <[🔎] 20020911224325.5CF731F84D@murphy.debian.org>
In-reply-to: Your message of "11 Sep 2002 22:57:47 +0200." <[🔎] 1031777867.3247.30.camel@arrakis>

>Debian ships a default C++ compiler which is the same that was used to
>build the provided libraries, except during transitions (and stable
>users don't see those transitions).
>Users building applications with another compiler should really know
>what they are doing.

Ok, so if I understand you correctly, your claim is that Debian users
never end up with libraries built by a different compiler than the one
on their system? If this was true (I have some doubt that it is), then
that would certainly help things a lot. Its certainly not true of
RedHat, Mandrake and others, who also ship a default C++ compiler
which is also used to build the provided libraries. Users end up
updating a library or a compiler for one reason or another, and things
suddenly get out of sync.

What about those people who decide that wanted gcc 3.0's better
performance on their machine, installed it, switched to it as the
default, never compiled any C++ until one day ...

>> >work, helped by the autobuilders. Moreover, the build dependencies can
>> >guarantee you the package will build fine if you try at home.
>>=20
>> !!NO THEY DO NOT!! why can people not understand this? there is no
>
>Why can't people understand that linking to a static library is BAD ?

it poses some problems yes. but nothing as deep as programs that
simply don't run correctly for completely inobvious reasons. i
wouldn't advocate static linking for C, for example, but for C++, the
situation is very difficult.

as for security issues, thats pretty much irrelevant for a program
that to be used as intended, requires root priviledge or various
capabilities that make it possible to do anything with the
machine. such a program is a massive security hole, and will be until
the basic level of security granularity in the kernel changes. i'm not
particularly interested in issues like a buffer overflow fix in some
C++ library when the program itself is a such a huge security hole.

when the kernel one day lets a thread just use SCHED_FIFO and/or
mlockall() can come with a limit on the amount of memory that be
locked into RAM, issues like security patches in libraries will start
to matter again.

i'm not saying that they are irrelevant; its true that many people
would use ardour without root priviledge, and yet might still have
these security holes floating around. its just that in the scheme of
things, some things are much, much bigger than others.

>> dependency system for linux in existence that can check this. its not
>> a matter of checking which version of a library is installed, or which
>> version of a compiler. its a matter of checking:
>>=20
>> 	a) which compiler a C++ library was compiled with
>> 	b) which compiler flags were used
>
>Using a strict policy can almost guarantee this. Why do you think people
>have been thinking for months about a suitable transition plan for G++
>3.2 ? You are not alone in the world, and hundreds of other C++ software
>have exactly the same issues. Why do you think appropriate solutions for
>these programs are not suitable for yours ?

i am not claiming "exception" status. its just that i have never seen
an "appropriate solution". all the ones that have been suggested seem
to rely on a social contract between Debian and its users. this makes
them:

    * subject to violation by people who don't even realize that
        there is a such a contract.
    * not much use for other linux distributions.

>What we are speaking of here is building a Debian package, with a
>maintainer. Users don't build the package, the maintainer and the
>autobuilders do. The maintainer ensures that the package is built with
>the compiler that was already used to build the libraries it depends on.
>All of this guarantees the program will work, and with *dynamic*
>libraries, while the user never has to build the software. If the user
>doesn't build the software himself, all the issues you describe will
>never appear.

*if* this is all completely true, then i *am* happy with the idea of
debian packages dynamically linked against other C++ libraries.

however, it will mean not be acceptable for a source package, and it
will not be acceptable for other linux distributions. this means that
the mainstream source will not build in the same way as the debian
package, which may or may not be a good thing.

i would like to see a debian package of ardour, i really would. but
the claims i have read about "complaints will go to the maintainer
first" don't convince me, and neither does anything you have written
so far, that such a package would not result in many emails to me
and/or the ardour email lists talking about strange behaviour by the
program on someone's machine. i could punt this back down to the
maintainer, i suppose.

--p

Reply to:

Follow-Ups:
- Re: [ardour-dev] ardour
  - From: Russell Coker <russell@coker.com.au>
- Re: [ardour-dev] ardour
  - From: Ulrich Eckhardt <uli@doommachine.dyndns.org>

References:
- Re: [ardour-dev] ardour
  - From: Josselin Mouette <josselin.mouette@ens-lyon.org>

Prev by Date: Re: Debian repository
Next by Date: Re: Bug#160516: ITP: masqdialer -- daemon for controlling shared dialup links
Previous by thread: Re: [ardour-dev] ardour
Next by thread: Re: [ardour-dev] ardour
Index(es):
- Date
- Thread