[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reproducible, precompiled .o files: what say policy+gpl?

On Mon, Oct 18, 2004 at 10:01:05PM -0700, John H. Robinson, IV wrote:
> I agree with this. This is also not the point. You keep talking about
> pracakge that can only be built with a non-free compiler. The one in
> question can be built with a free or non-free compiler.

No, that's not what I said.  I'm saying that a package built with ecc
(or icc or whatever) is not the same package that you'll get if you
build the same sources with gcc; it's significantly functionally different.
If it wasn't significantly different, nobody would bother to compile
with the non-free compiler in the first place, so it's clear that the
choice of compiler matters to some people, and making a stable update
that changed to gcc would be an unacceptable stable change.

> > For example, suppose OpenSSL is built with ecc (Expensive C Compiler),
> > because it produces faster binaries, the Debian package is created with
> > it, and ends up in a stable release.  A security bug is found, and the
> > maintainer isn't available.  Can another developer fix this bug?  No:
> > you can't possibly make a stable update with a completely different
> > compiler, halving the speed and possibly introducing new bugs.  (Debian
> > is very conservative and cautious with stable updates; this is one of
> > the reasons many people use it.)
> Yes. Assuming that OpenSSL will compile properly with both gcc and ecc,
> and the source is not using tricks to change functionality when compiled
> wiht one or the other. To me, using ecc or gcc is, or at least should
> be, similar to using gcc -O1 or gcc -O9.

Huh?  You ignored what I said: you can't make a stable update using a
different compiler, because it can introduce both performance and (more
importantly) new bugs, which is completely unacceptable for a Debian
stable security update.  You should be using the same compiler, and
the same compiler flags, too.  Debian's approach to security updates
is very clear: change only what's necessary to fix the bug.

Are you claiming that changing from one compiler to another, or changing
optimization flags, can't introduce bugs?  If so, please stay away from
any security-sensitive packages ... :)

> gcc is written under the GPL. I can write a non-free program, keep the
> source entirely secret, and distribute my program in binary form only,
> with a very restrictive license. The gcc license does not contaminate
> the resultant binary (unless, of course, I put gcc code in my program).
> Similarly, the ecc license should not prevent compiling GPL'd code. If
> it did, ecc would be unsuitable for any purpose, period.

This doesn't seem relevant.

Glenn Maynard

Reply to: