| 1 |
On Wed, 18 Dec 2019 22:02:47 +0100 |
| 2 |
Sebastian Pipping <sping@g.o> wrote: |
| 3 |
|
| 4 |
> Hi all, |
| 5 |
> |
| 6 |
> |
| 7 |
> I noticed that dev-util/cmake depends on dev-libs/expat and that |
| 8 |
> libexpat upstream (where I'm involved) is in the process of |
| 9 |
> dropping GNU Autotools altogether in favor of CMake in the near future, |
| 10 |
> potentially the next release (without any known target release date). |
| 11 |
> |
| 12 |
> CMake bundles a (previously outdated and vulnerable) copy of expat so |
| 13 |
> I'm not sure if re-activating that bundle — say with a new use flag |
| 14 |
> "system-expat" — would be a good thing to resort to for breaking the |
| 15 |
> cycle, with regard to security in particular. |
| 16 |
> |
| 17 |
> Do you have any ideas how to avoid a bad circular dependency issue for |
| 18 |
> our users in the future? Are you aware of similar problems and |
| 19 |
> solutions from the past? |
| 20 |
|
| 21 |
Fun fact: cmake is not keyworded for riscv. |
| 22 |
|
| 23 |
To think of solutions enumerating the arising problems explicitly might |
| 24 |
help here. I see a few: |
| 25 |
1. initial system bootstrap requires solving a circular dependency |
| 26 |
2. recovery from broken state (expat soname bump without preserved |
| 27 |
libs or cmake broken by one of many depends it has) |
| 28 |
|
| 29 |
[2.] effectively forbids a dependency circle. |
| 30 |
|
| 31 |
[1.] is hard to solve without users' intervention to at least flip a default flag. |
| 32 |
|
| 33 |
Some other distributions provide two packages to break the cycle. |
| 34 |
Example Gentoo solution would be: "cmake.ebuild" depends on "expat.ebuild", |
| 35 |
"expat.ebuild" depends on "cmake-with-bundled-expat.ebuild". |
| 36 |
|
| 37 |
Some examples of circular dependencies are: |
| 38 |
a) gcc/glibc/binutils toolchain. the solution is to provide prebuilt |
| 39 |
binaries as part of stage3. |
| 40 |
b) self-hosted languages without an interpreter in C (rust, golang, ghc). |
| 41 |
The solution is to provide prebuilt binaries in ebuilds. |
| 42 |
c) circular dependencies in tests. The solution is careful user's USE flags |
| 43 |
juggling: enable USE=test only for a package being tested. |
| 44 |
d) glibc depends on libidn2 to implement modern DNS demangling. |
| 45 |
glibc fixes it by not depending on libidn at build time and does manual |
| 46 |
library loading with dlopen()/dlsym(). |
| 47 |
e) vast majority of others: dependency bundling (users of autotools, gnulib, zlib, lua). |
| 48 |
|
| 49 |
All the above are not pretty. a) is simplest to maintain by ebuild maintainer |
| 50 |
and gentoo user, but probably not by releng. c) moves the burden to user. |
| 51 |
|
| 52 |
I personally would explore [e]: unconditional bundling of expat into |
| 53 |
cmake and make sure it's kept up-to-date there. |
| 54 |
|
| 55 |
[c] would be nice to be solved at portage level if portage could schedule |
| 56 |
multiple merges for the same package with different USE flags. |
| 57 |
|
| 58 |
-- |
| 59 |
|
| 60 |
Sergei |
Archives