[sheepdog-users] About bundling libraries (at least one library isa-l)

Hitoshi Mitake mitake.hitoshi at lab.ntt.co.jp
Fri Oct 17 09:33:18 CEST 2014


At Thu, 16 Oct 2014 15:35:24 +0200,
Marcin Mirosław wrote:
> 
> Hi!
> I'd like to talk about bundling libraries into sheepdog. It has
> advantages and disadvantages, at this moment comes to my mind:
> + stable api, upstream doesn't need to do anything when new version of
> library brings big changes
> +- new version of library can bring performance changes (both
> performance can be increased or decreased;))
> - upstream should track upstream of bundled library to catch stability,
> security fixes
> 
> There are some stories about soft which bundles some libraries, often it
> ends with removing such soft from repositories due to security bugs in
> bundled libs. IMHO (as sysadmin) it's better to not build selfhosted
> soft platform (which brings to my mind behavior of php developers), it's
> better to add new dependency for sheepdog (I mean dependency on isa-l).
> You don't bundle e.g. gcc, userspace-rcu, pkgconfig, fuse and many more.
> What is your opinion?
> Marcin

If isa-l is provided as a form of standard packages of major
distributions, your suggestion is reasonable. But currently there's no
standard packages. I think including isa-l in sheepdog repository is
reasonable now.

How about providing an option for disabling isa-l? The major
disadvantage you pointed is related to security problems. If we have a
way to disable isa-l, it means anyone can build a secure version of
sheepdog even if someone finds security problems in isa-l.

How do you think?

Thanks,
Hitoshi




More information about the sheepdog-users mailing list