David Baron wrote:
On Tuesday 15 March 2005 19:12, debian-user-digest-request@lists.debian.org wrote:Considering it is a commercial app, that is probably smart of them. For example, I have Neverwinter Nights and it includes SDL (though it checks an environment variable to see if you want to use your system's version). Besides, if you don't like it, edit the acroread shell script and tell it to look elsewhere for the libs. Then you can manage the libraries however you like. Like it or not, this is a trend we will see increasingly as commercial vendors ship Linux versions of their software. Basically, they ship everything except for libc.Having all the needed libraries is a plus. Having to install them as duplicates is not. It seems that the install script should be able to handle this. To hand edit that shell script and./or replace all that stuff with symlinks is a bit much. Besides, do not we all know that disk space, memory and other resources are unlimited :-)
Except that if the install script detects some library installed on the system and then considers it in satisfying some dependency, there is the potential for brokenness later on. Imagine, for example, that you have libssl installed on your machine. Say you install acroread, it finds your libssl and uses it. Say, for some reason, you uninstall libssl. acroread has now to know that you uninstalled, that is, until you start it next time and get a missing library error. Then it is a bit late to do anything about it, since the user has seen the error. I'm not sure if the RPM version they distribute checks for such dependencies, but as long as you are using an install method that does not integrate with your systems package manager, you have to be very conservative. I am willing to bet that even the RPM has lots of its own libraries to prevent users from having to hunt down all the necessary pacakges. That said, I think that it is a mistake from flexibility and security stand point. For example, acroread 7 includes libssl0.9.6. There have been numerous vulnerabilities announced for that version of libssl. How do i know they are distributing a patched version. What if a vulnerability is announced tomorrow. Will Adobe put out a new package? In a perfect world, there would be some universal package format and this would all be moot. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr
Attachment:
signature.asc
Description: OpenPGP digital signature