Bug#550441: advi: statically links to camlimages

To: 550441@bugs.debian.org, security@debian.org
Subject: Bug#550441: advi: statically links to camlimages
From: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Sat, 10 Oct 2009 10:42:28 -0400
Message-id: <[🔎] 20091010104228.c68f51da.michael.s.gilbert@gmail.com>
Reply-to: Michael S Gilbert <michael.s.gilbert@gmail.com>, 550441@bugs.debian.org
In-reply-to: <[🔎] 4AD061BF.1060800@glondu.net>
References: <[🔎] 20091010003032.b7922632.michael.s.gilbert@gmail.com> <[🔎] 4AD061BF.1060800@glondu.net>

On Sat, 10 Oct 2009 12:28:15 +0200 Stéphane Glondu wrote:

> Michael S Gilbert a écrit :
> > advi statically links to camlimages, which makes security updates very
> > complicated.  please update advi to dynamically link to camlimages.
> > thanks.
> 
> Unfortunately, this is not possible without making significant changes
> to advi (and/or OCaml itself). Almost all programs written in OCaml
> suffer from this limitation. I had already asked to have advi be
> recompiled with the new camlimages, but the request got lost somehow
> (maybe Mehdi can give more information on this).
> 
> There is no shared library support in OCaml. Upstream is hostile to this
> [1], so if some support would be added, it would be Debian-specific and
> make the whole OCaml stack of Debian diverge from everywhere else (we
> don't really want that). There is however dynamic linking (à la dlopen).
> 
> [1] http://article.gmane.org/gmane.comp.lang.caml.inria/23778

thanks for the update on the situation.  based on the link, upstream's
response is not entirely hostile.  see:

  Feature 3- (dynamic code loading) is already available in bytecode
  through the Dynlink API.  I understand there's a demand for having it
  in native-code as well, and that might be possible without too much
  fuss, at least on selected operating systems.

so, perhaps if the work is done for them, they would be willing to
accept the changes.

> Note that even there was shared library support in OCaml, that wouldn't
> automatically make security updates easier because of the checks OCaml
> performs at link time, and it would be very unwise to disable these
> checks. In other words, an updated library can require recompilation of
> all reverse dependencies anyway.

i'm not aware of this as a concern for other packages. why is this a
larger concern for advi? usually security updates do not change the
ABI, so this (hopefully) shouldn't be a problem.  and if it is, advi
will FTBFS, so we will be more acutely aware of the fact that it needs
to be updated as well.

mike

Reply to:

Follow-Ups:
- Bug#550441: advi: statically links to camlimages
  - From: Stéphane Glondu <steph@glondu.net>
- Bug#550441: advi: statically links to camlimages
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Bug#550441: advi: statically links to camlimages
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>
- Bug#550441: advi: statically links to camlimages
  - From: Stéphane Glondu <steph@glondu.net>

Prev by Date: Bug#550420: FTBFS: /usr/share/cdbs/1/class/ocaml.mk: No such file or directory
Next by Date: lablgtk2 2.12.0-4 MIGRATED to testing
Previous by thread: Bug#550441: advi: statically links to camlimages
Next by thread: Bug#550441: advi: statically links to camlimages
Index(es):
- Date
- Thread