[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Suggestion from the SQLite developers

From: Peter Samuelson <peter_at_p12n.org>
Date: Mon, 4 May 2009 15:33:39 -0500

[Greg Stein]
> We chose to allow options other than amalgamation because we'd heard
> feedback, "let the sysadmins upgrade sqlite independently on their
> system", rather than pinning svn to whatever-we-shipped. IOW, if we
> ship an amalgamation, then it becomes *our problem* when bugs appear
> in sqlite, and we need to spin up a new release.

Yes, and this choice is valuable. In Debian, we learned our lesson
about redundant copies of library code in our binaries. It used to be
quite common for projects to copy zlib code into their own projects
... until a potential security bug was found in it. For weeks
afterwards, the Debian Security Team was patching random packages and
releasing advisories for them. Not much fun for them, I think.

Some years later, the same thing happened with xpdf, another popular
codebase to copy and paste. So these days, we're pretty strict about
_not_ embedding library code into our binaries, unless the code really
is specific to the one project.

-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
Received on 2009-05-04 22:32:08 CEST

This is an archived mail posted to the Subversion Dev mailing list.