Re: Survey answers part 1: systemd has too many dependencies, …
Michael Stapelberg <stapelberg@debian.org> writes:
> since some people might not read planet debian, here is a link to my
> first blog post in a series of posts dealing with the results of the
> Debian systemd survey:
>
> http://people.debian.org/~stapelberg/2013/06/09/systemd-bloat.html
I was hoping you would cover my reason why I fear the "too many
dependencies":
external dependencies obfuscates what code is part of pid 1 and what is
not. Some (most?) of the external projects you depend on are probably
not developed with this use case in mind, and hence are not suitable for
being used like this. This is not a critisism of the externel
libraries. There is quite a difference between writing code which can
exit and writing code which cannot. No sane person will attempt to do
the latter unless strictly required.
You claim that the systemd code using these dependencies is simple, and
I have no reason do doubt that. But you ignore the fact that you make
the external code part of systemd. That code also needs to be audited
as if it were an integral part of systemd. You could just write a
"libpid1" and a 5 line application using that library. It should be
obvious that auditing the 5 line application would be unsufficient.
The point is that it is not obvious that all these external dependencies
are suited for use by systemd, and that the responsibility for ensuring
that they are lies with the systemd project. Not with the external
projects.
I understand that there are lots of developers having a hard time
understanding that there is a difference between
- desktop application depending on libfoo, and
- criticial (securitywise, stabilitywise, other) application depending
on libfoo
You do of course not have to agree. This is my personal opinion only.
But I believe it is useful to read Jamie Zawinski's view on screensavers
and toolkit library dependencies, and try to figure out how that can be
relevant to systemd and external dependencies:
http://www.jwz.org/xscreensaver/toolkits.html
Using a library in a critical application will make any harmless library
bug into a critical bug. Are the maintainters of those dependencies
really ready to handle that?
This is the primary reason why the list of dependencies terrifies me.
Not any of the four reasons you list, which, although valid, are only
minor issues which could be outweighed by advantages offered by the
dependency.
Bjørn
Reply to: