Re: New dependency system.

To: debian-ocaml-maint@lists.debian.org
Subject: Re: New dependency system.
From: Sylvain Le Gall <gildor@debian.org>
Date: Tue, 13 Oct 2009 14:04:56 +0000 (UTC)
Message-id: <[🔎] slrnhd9208.cs6.gildor@gallu.homelinux.org>
References: <[🔎] 200910120040.58407.toots@rastageeks.org> <[🔎] slrnhd5mnt.cs6.gildor@gallu.homelinux.org> <[🔎] 20091012074133.GA18782@usha.takhisis.invalid> <[🔎] slrnhd5sik.cs6.gildor@gallu.homelinux.org> <[🔎] 20091012095331.GA25623@usha.takhisis.invalid> <[🔎] slrnhd6i6k.cs6.gildor@gallu.homelinux.org> <[🔎] 20091013125223.GA28759@usha.takhisis.invalid>

On 13-10-2009, Stefano Zacchiroli <zack@debian.org> wrote:
> On Mon, Oct 12, 2009 at 03:22:55PM +0000, Sylvain Le Gall wrote:
>> I think it is a bit dangerous to have libX-ocaml v1.2 fullfill the
>> dependencies of libX-ocaml-dev v1.3 if there is nothing detectable in
>> the ABI checksum.
>
> I think we all agree on this point.
>
> At present, I can't find any single case in which using the new
> mechanism open the flank to more risks than the old one. (Sure, I'm
> blindly trusting the checksums here, but quick computations done by
> Stephane show that we have a probability of collision of about 1.6e-8,
> the probability of a dumb upstream author of releasing a new C library
> breaking ABI without bumping the soname is waaaay higher than that :-))
>

I agree on this point, nothing to say more about this. The new system is
to my mind quite safe (at least I don't see obvious reason that it can
fail).

However, my last point remain: making the package look like any other
debian package when possible. This is the rule of the "least
modification", so that we don't use too much special ways of handling
deps. 

We have a lot of "leaf packages" in pkg-ocaml-maint, so avoiding
intra-dependency checksum will reduce a lot the number of dependencies
change.

(this is not a technical reason, just a "low profile" in Debian reason).

> [1] Actually, this is rather interesting. I'm surprised that upstream
>     has never thought about this: it would be terribly useful to store
>     in some part of the .so a checksum which is verified at runtime
>     before loading the .so. I guess there is a technical reason for not
>     having done that, but I can't find exactly which at the moment.
>

Maybe, the most simple example is a non-custom bytecode binary
executable ?

Let's choose headache as an example.

headache use Unix, so it must load dllunix.so. 

If bytecode format doesn't change between OCaml 3.11 and 3.12, there is no
reason to recompile headache, because it can still load dllunix.so.

If we include checksum inside dllunix.so, headache will warn/exit with
error, because it doesn't find the right checksum after upgrade to OCaml
3.12.

N.B.: this is not our choice with the new dependency system, because we
will force headache to recompile when 3.11 -> 3.12, even if it is not
mandatory.

Regards,
Sylvain Le Gall

Reply to:

Follow-Ups:
- Re: New dependency system.
  - From: Stefano Zacchiroli <zack@debian.org>

References:
- New dependency system.
  - From: Romain Beauxis <toots@rastageeks.org>
- Re: New dependency system.
  - From: Sylvain Le Gall <gildor@debian.org>
- Re: New dependency system.
  - From: Stefano Zacchiroli <zack@debian.org>
- Re: New dependency system.
  - From: Sylvain Le Gall <gildor@debian.org>
- Re: New dependency system.
  - From: Stefano Zacchiroli <zack@debian.org>
- Re: New dependency system.
  - From: Sylvain Le Gall <gildor@debian.org>
- Re: New dependency system.
  - From: Stefano Zacchiroli <zack@debian.org>

Prev by Date: Re: New dependency system.
Next by Date: Re: New dependency system.
Previous by thread: Re: New dependency system.
Next by thread: Re: New dependency system.
Index(es):
- Date
- Thread