[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] Go (golang) packaging

On Thu, Jan 3, 2013 at 12:17 PM, Alastair McKinstry
<alastair.mckinstry@sceal.ie> wrote:
> On 2013-01-03 08:41, Reinhard Tartler wrote:
>> On Wed, Jan 2, 2013 at 10:26 PM, Wouter Verhelst <wouter@debian.org> wrote:
>>> On Wed, Jan 02, 2013 at 01:05:46PM +0100, Guillem Jover wrote:
>>>>     - Private dependencies, as they leak to rdeps. When a library uses
>>>>       another library privately this dependency gets linked in directly
>>>>       in all other rdeps, when that library stop depending on that
>>>>       private dependency, all rdeps need to be rebuilt.
>>> Strictly speaking, if you're only using static libraries this is not
>>> really true; once you've compiled something against a static library,
>>> the static library might change in whatever way it sees fit, the
>>> compiled binary will continue to work, with or without recompilation.
>> Consider this from the application perspective: Say an application
>> links against a library libfoo.a. At some point, libfoo decides to
>> include compression support, and requires functionality from libz. No
>> problem for the library package maintainer; he just adds a
>> build-dependency  on libz-dev, and uploads the package. At some point
>> the security team needs to update the application and finds the
>> package to FTBFS because libz is missing. The solution, of course, is
>> now to extend the build-dependencies of the application package.
>> However, this is not obvious and in any case more effort than a
>> binNMU.
>>
> Yes, there are compile-time dependencies for any static library. We do
> need to track
> these. In practice we already have a mechanism in pkg-config, but this
> is (I believe)
> not properly formalised in Debian.

and generally pretty broken: see e.g. #622931

IIRC, the pkg-config maintainer dislikes static linking and the
situation is that many if not most .pc files in Debian do not fully
declare all dependencies that would be required for static linking.

>
> In the case you mention, if libfoo now depends on libz, adding a build
> dependency
> on libz-dev fixes the problem with libfoo.so as it will automatically
> pull in libz.so

Yeah, which does not really scale IMO. And doesn't solve the issue
that the application still needs to track the exact version of all
libraries that were used for linking, e.g. using the Built-Using
header.

> However, the packager should _also_ provide a pkg-config file and this
> will have
> a list of the dependencies , so
> LIBS:=` pkg-config --static -libs foo`
> does the right thing, and the updated libfoo-dev package will include
> -lz on the libs line.
>
> I think we should do the following:
>
> (1) pkg-config files for libraries, in particular all those that ship
> static libs, to be a
> release goal for jessie.

I would vote against this. It is really not worth the trouble.




-- 
regards,
    Reinhard
Reply to: