m (Rathann moved page Packaging:Bundled Libraries Virtual Provides to Bundled Libraries Virtual Provides: No need to have this under FPC control anymore.) |
(apt-cacher-ng does not ship private sha1 lib anymore) |
||
(7 intermediate revisions by 6 users not shown) | |||
Line 66: | Line 66: | ||
Many instances of sha1.c<ref>There are multiple sha1 implementations. The ones that have an actual library (libnss, libgcrypt, openssl, etc) are not covered by this case. The ones that are copied from other applications are.</ref> | Many instances of sha1.c<ref>There are multiple sha1 implementations. The ones that have an actual library (libnss, libgcrypt, openssl, etc) are not covered by this case. The ones that are copied from other applications are.</ref> | ||
</td><td> | </td><td> | ||
bundled(sha1-$IMPLEMENTATION)<ref>Change $IMPLEMENTATION depending on which implementation of sha1 is being bundled. | bundled(sha1-$IMPLEMENTATION)<ref>Change $IMPLEMENTATION depending on which implementation of sha1 is being bundled. Oneknown previously known was the Uwe Hollerbach-Peter C. Gutmann version (bundled(sha1-hollerbach)) that was found in older releases of apt-cacher-ng [https://pagure.io/packaging-committee/issue/407]</ref> | ||
</td><td> | </td><td> | ||
copylib | copylib | ||
Line 240: | Line 240: | ||
</td><td> | </td><td> | ||
php-pecl-jsonc bundles libjson-c. | php-pecl-jsonc bundles libjson-c. | ||
</td></tr> | |||
<tr><td> | |||
libev in rubygem-nio4r | |||
</td><td> | |||
bundled(libev) | |||
</td><td> | |||
Because the nio4r places have modified the bundled libev deeply to unlock the MRI "Global VM Lock". See the comments in the spec file for details. | |||
</td></tr> | |||
<tr><td> | |||
jQuery bundled in rubygem-jquery-rails | |||
</td><td> | |||
bundled(js-jquery) | |||
</td><td> | |||
jquery-rails bundles specific versions of jQuery {1,2,3} and system versions might differ from time to time. | |||
</td></tr> | |||
<tr><td> | |||
pip bundled in python34, python35, python36 | |||
</td><td> | |||
bundled(python3-pip) | |||
</td><td> | |||
These are additional compat interpreters aimed only for testing code | |||
</td></tr> | |||
<tr><td> | |||
setuptools bundled in python34, python35, python36 | |||
</td><td> | |||
bundled(python3-setuptools) | |||
</td><td> | |||
These are additional compat interpreters aimed only for testing code | |||
</td></tr> | |||
<tr><td> | |||
Bundled in WebKitGTK+ (webkitgtk4 package) | |||
</td><td> | |||
bundled(angle) | |||
</td><td> | |||
ANGLE does not have a stable API, is difficult to update, and the version used must match that expected by WebKit, so it would be very difficult to unbundle. | |||
</td></tr> | |||
<tr><td> | |||
OpenSSL bundled in edk2 | |||
</td><td> | |||
bundled(openssl) | |||
</td><td> | |||
Virtual machine firmware is compiled with a different ABI than the host (and in fact it might not even be running on the same architecture as the host---e.g. ARM firmware on x86). | |||
</td></tr> | </td></tr> | ||
Latest revision as of 20:06, 8 January 2023
A list of packages with known bundled libraries and their virtual provides
Library |
Provide |
Reason |
---|---|---|
Any binc |
bundled(binc) |
copylib |
Many modules from ccan |
bundled(bobjenkins-hash) |
copylib. CCAN is hard to track for two reasons: (1) CCAN encourages people to bundle individual files from its collection rather than a single library. (2) Often the individual modules are from code which is also maintained separately in another location. For these reasons, each module from CCAN needs to have its own virtual provide. Please open a new bundling exception if you wish to use a module from CCAN that is not already listed here. |
Any egglib |
bundled(egglib) |
copylib - see this link: https://fedorahosted.org/fpc/ticket/174 |
Any gnulib |
bundled(gnulib) |
copylib - see this link: https://fedorahosted.org/fpc/ticket/174 |
Any libiberty |
bundled(libiberty) |
copylib - see this link: https://fedorahosted.org/fpc/ticket/174 |
Many instances of md5.c[1] |
bundled(md5-$IMPLEMENTATION)[2] |
copylib |
Many instances of sha1.c[3] |
bundled(sha1-$IMPLEMENTATION)[4] |
copylib |
time-api's use of timex from openjdk8 |
bundled(openjdk8-javax-time) |
Reverse bundling providing a backwards compat API |
unac's recoll |
bundled(recoll) |
this recoll has changes that are not applicable to other applications. |
TexStudio's qcodeedit |
bundled(qcodeedit) |
TexStudio contains a forked copy of qcodeedit 2, which is at least two years dead. Since TexStudio is the only user, there is no benefit to a separated library, and permission to bundle has been granted. |
binutils libraries (libbfd, libcpu, libopcodes, libdecnumber) |
bundled(binutils)[5] |
If the package in question shares the same upstream as binutils (sourceware.org), they may bundle these libraries. This is because the libraries are developed by the application authors as common functionality shared between several applications. Being developers of both, they'll be intimately aware of both issues that arise in the libraries and know how to port to newer versions of the library as needed. Note that, at the moment, all of these applications and libraries come from sourceware.org but not all of them are used in binutils. The name was chosen as it seemed to be the more permanent and recognizable name. |
Spring RTS's lua implementation |
bundled(lua) |
Spring RTS includes a forked and bundled copy of Lua which has Spring RTS specific patches applied, must link to streflop, and is configured differently from stock Lua (most importantly it needs lua_Number to be a float and not a double). Lua is particularly important because parts of the game code may be written in it, which must yield exactly identical results (also floating point operations!) on all platforms. |
Any okjson |
bundled(okjson) |
copylib[6] |
libreplace in samba libraries |
bundled(libreplace) |
If the package in question shares the same upstream as samba, they may bundle the libreplace library. This is because the libreplace library is developed by the application authors as common functionality shared between several applications. Being developers of both, they'll be intimately aware of both issues that arise in the libraries and know how to port to newer versions of the library as needed. |
boost in passenger |
bundled(boost) |
Due to the intrusive nature of the forked changes, the efforts of the maintainer to merge as many of them as possible into the upstream boost source tree, and the visible efforts of the upstream to keep the bundled copy of boost in sync with the current boost releases. The maintainer, wako666, made efforts to redesign and merge the boost patches back to upstream boost. See https://fedorahosted.org/fpc/ticket/160 . |
pyPdf in calibre |
bundled(pyPdf) |
Due to the intrusive nature of the forked changes, the specificity of the changes to calibre, and the fact that pyPdf seems to be abandoned upstream. See https://fedorahosted.org/fpc/ticket/167 . |
libtidy in sigul |
bundled(libtidy) |
Due to libtidy being dead upstream and the code being modified to handle epub instead of html. See https://fedorahosted.org/fpc/ticket/219 . |
objectweb-asm in byteman |
bundled(objectweb-asm) |
Due to the specific nature of how byteman works. See the ticket for details: https://fedorahosted.org/fpc/ticket/226 . |
java_cup in byteman |
bundled(java_cup) |
Due to the specific nature of how byteman works. See the ticket for details: https://fedorahosted.org/fpc/ticket/226 |
Mersenne Twister 19937ar in anything |
bundled(mt19937ar) |
This algorithm (from http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html) is everywhere. |
fx2lib in sigrok-firmware-fx2lafw |
bundled(fx2lib) |
8051 hardware bits, only useful in this firmware context, not packaged/used elsewhere. |
JAXP and JAX-WS in openjdk |
bundled(JAXP) and bundled(JAX-WS) |
The openJDK code contains copies of JAXP and JAX-WS that occasionally go out of sync with their upstream versions. The upstream is the same for both revisions, and the openJDK code assumes/depends on the behavior of the bundled versions. |
t4k_common's liblinebreak |
bundled(liblinebreak) |
t4k_common contains a forked copy of an older version of liblinebreak. This should be revisited when the t4k_common upstream is able to port their code to use the newer system copy of liblinebreak. |
libraries in firefox and icecat |
bundled(libtheora) |
firefox has an active security team tracking issues in their codebase. icecat is a fork of firefox that closely tracks firefox's changes. This should be periodically re-evaluated. |
event library provided by the kernel |
bundled(kernel-event-lib) |
The kernel should be providing the library as a shared library in the Linux 3.15 time frame so applications should plan on unbundling for F23. https://fedorahosted.org/fpc/ticket/372 |
libtommath bundled in Heimdal |
bundled(libtommath) |
Heimdal bundles libtommath which is modified to reduce the risk of information leakage based upon computation timing attacks. Linking against OpenSSL is not thread-safe. |
php-pecl-jsonc |
bundled(libjson-c) |
php-pecl-jsonc bundles libjson-c. |
libev in rubygem-nio4r |
bundled(libev) |
Because the nio4r places have modified the bundled libev deeply to unlock the MRI "Global VM Lock". See the comments in the spec file for details. |
jQuery bundled in rubygem-jquery-rails |
bundled(js-jquery) |
jquery-rails bundles specific versions of jQuery {1,2,3} and system versions might differ from time to time. |
pip bundled in python34, python35, python36 |
bundled(python3-pip) |
These are additional compat interpreters aimed only for testing code |
setuptools bundled in python34, python35, python36 |
bundled(python3-setuptools) |
These are additional compat interpreters aimed only for testing code |
Bundled in WebKitGTK+ (webkitgtk4 package) |
bundled(angle) |
ANGLE does not have a stable API, is difficult to update, and the version used must match that expected by WebKit, so it would be very difficult to unbundle. |
OpenSSL bundled in edk2 |
bundled(openssl) |
Virtual machine firmware is compiled with a different ABI than the host (and in fact it might not even be running on the same architecture as the host---e.g. ARM firmware on x86). |
- ↑ There are multiple md5 implementations. The ones that have an actual library (libnss, libgcrypt, openssl, libmd, etc) are not covered by this exception. The ones that are copied from other applications are.
- ↑ Change $IMPLEMENTATION depending on which implementation of md5 is being bundled. The ones known so far are Peter Deutsch's version: bundled(md5-deutsch), a C++ port of Peter Deutsch's version: bundled(md5-deutsch-c++), Colin Plumb's bundled(md5-plumb), Alexander Peslyak's bundled(md5-peslyak), Ulrich Drepper's code from gcc bundled(md5-gcc), A second implementation from Ulrich Drepper bundled(md5-drepper2), and John Polstra's bundled(md5-polstra).
- ↑ There are multiple sha1 implementations. The ones that have an actual library (libnss, libgcrypt, openssl, etc) are not covered by this case. The ones that are copied from other applications are.
- ↑ Change $IMPLEMENTATION depending on which implementation of sha1 is being bundled. Oneknown previously known was the Uwe Hollerbach-Peter C. Gutmann version (bundled(sha1-hollerbach)) that was found in older releases of apt-cacher-ng [1]
- ↑ The version for binutils provides should be the date that the binutils checkout was made
- ↑ The upstream explicitly intends for this library to be "vendored" and copied directly into any projects which use it. The Fedora Packaging Committee has a general feeling of distaste for this behavior.