[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libzstd 1.1.2 contains embedded zlib fork

Hi all,

On 16:50 13/01, Sascha Steinbiss wrote:
> Hi Kevin,
> here on the Debian Med sprint

Happy Sprint all! Shame I can't be there this year.

> I was looking to update libzstd to the current upstream version 1.1.2.
> Besides some minor changes to the patches I had to make, I also noticed that
> it now includes an embedded copy of some zlib code, which -- according to the
> inline comments -- was adapted to be ready to compile with the zlibwrapper.
> It wasn’t clear to me whether this was really necessary; when these files are
> removed from the affected Makefile (and some minor adjustments are made) the
> build still finishes fine.

That's been there since 1.1 I think, and is AFAICT example code for an
alternative, non-packaged API that mimics the zlib API. It could be packaged
under libzstd-dev:usr/share/doc/libzstd-dev/examples or something, like I've
seen with a few development packages. Otherwise, I think nuking the sources or
just removing them from the makefile is fine. Though from memory, anything
compiled from these is not installed, so no action is probably also OK.

> TBH I don’t feel I should upload this after consulting with you. I have
> pushed my changes (tagged as UNRELEASED) and would be happy if you could take
> a second look.

AFAICT, running make in the package repo (i.e. unpatched upstream source)
doesn't touch ./zlibWrapper, and none of the debian packages seem to have any
trace of these sources. So I'm not sure, but I think any action (including
doing nothing) should be fine, as these sources are inconsequential to any
output, compiled or otherwise. What does the DFSG say about sources that are
not compiled? They're in d/copyright anyway, IIRC FTPMASTER bounced me last
update for this exact issue, and I added them.

Happy hacking all!


Kevin Murray

Attachment: signature.asc
Description: PGP signature

Reply to: