| 1 |
On Thu, Jun 9, 2016 at 5:41 AM, Alexander Berntsen <bernalex@g.o> wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA512 |
| 4 |
> |
| 5 |
> On 08/06/16 16:53, Rich Freeman wrote: |
| 6 |
>> Do you propose that you can have cross-repo dependencies? |
| 7 |
> Sure. This works well in Exherbo using Paludis. We could do it right now |
| 8 |
> if we wanted to. |
| 9 |
> |
| 10 |
>> If so that creates a lot of potential issues, even if you do it |
| 11 |
>> the NixOS way. |
| 12 |
> You should tell Exherbo and NixOS about all these issues that they |
| 13 |
> should be having but aren't having. |
| 14 |
> |
| 15 |
|
| 16 |
Perhaps you could explain how they actually prevent the issues I |
| 17 |
brought up? Since you didn't actually quote them I'll do so: |
| 18 |
|
| 19 |
Suppose you have 10 packages, and they each depend on zlib from a |
| 20 |
different repository? If they collide, that is one problem to solve. |
| 21 |
If they don't collide then you have 10 copies of zlib now, and good |
| 22 |
luck making sure they're all secure, and of course now you're |
| 23 |
multiplying the number of "shared" objects you keep in RAM. |
| 24 |
|
| 25 |
How is this prevented in your proposal? Do we just accept that the |
| 26 |
typical user might have multiple copies of a library installed, with |
| 27 |
no guarantees that they're free of security issues? |
| 28 |
|
| 29 |
Keep in mind that this isn't the sort of issue that might be obvious |
| 30 |
to an end user. The average windows user probably has 14 versions of |
| 31 |
many common DLLs installed all from random sources and probably has a |
| 32 |
bunch of random ones with security issues (including zlib). The |
| 33 |
software all works, because the versions don't collide and the user |
| 34 |
doesn't realize that they are wasting RAM and are vulnerable. So, it |
| 35 |
would be pretty easy to say that the windows approach "just works." |
| 36 |
|
| 37 |
Maybe they have found some way to prevent issues like these, but the |
| 38 |
conversation would move forward if this were actually explained, |
| 39 |
rather than just dismissing concerns. |
| 40 |
|
| 41 |
-- |
| 42 |
Rich |
Archives