1 |
On Thu, Jun 9, 2016 at 5:41 AM, Alexander Berntsen <bernalex@g.o> wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA512 |
4 |
> |
5 |
> On 08/06/16 16:53, Rich Freeman wrote: |
6 |
>> Do you propose that you can have cross-repo dependencies? |
7 |
> Sure. This works well in Exherbo using Paludis. We could do it right now |
8 |
> if we wanted to. |
9 |
> |
10 |
>> If so that creates a lot of potential issues, even if you do it |
11 |
>> the NixOS way. |
12 |
> You should tell Exherbo and NixOS about all these issues that they |
13 |
> should be having but aren't having. |
14 |
> |
15 |
|
16 |
Perhaps you could explain how they actually prevent the issues I |
17 |
brought up? Since you didn't actually quote them I'll do so: |
18 |
|
19 |
Suppose you have 10 packages, and they each depend on zlib from a |
20 |
different repository? If they collide, that is one problem to solve. |
21 |
If they don't collide then you have 10 copies of zlib now, and good |
22 |
luck making sure they're all secure, and of course now you're |
23 |
multiplying the number of "shared" objects you keep in RAM. |
24 |
|
25 |
How is this prevented in your proposal? Do we just accept that the |
26 |
typical user might have multiple copies of a library installed, with |
27 |
no guarantees that they're free of security issues? |
28 |
|
29 |
Keep in mind that this isn't the sort of issue that might be obvious |
30 |
to an end user. The average windows user probably has 14 versions of |
31 |
many common DLLs installed all from random sources and probably has a |
32 |
bunch of random ones with security issues (including zlib). The |
33 |
software all works, because the versions don't collide and the user |
34 |
doesn't realize that they are wasting RAM and are vulnerable. So, it |
35 |
would be pretty easy to say that the windows approach "just works." |
36 |
|
37 |
Maybe they have found some way to prevent issues like these, but the |
38 |
conversation would move forward if this were actually explained, |
39 |
rather than just dismissing concerns. |
40 |
|
41 |
-- |
42 |
Rich |