Re: svn commit: r1801940 - in /subversion/trunk: ./ notes/ subversion/include/ subversion/include/private/ subversion/libsvn_delta/ subversion/libsvn_fs_fs/ subversion/libsvn_subr/ subversion/tests/libsvn_delta/ subversion/tests/libsvn_subr/

On Wed, Jul 26, 2017 at 03:48:33PM +0300, Evgeny Kotkov wrote:
> Stefan Sperling <stsp_at_elego.de> writes:
>
> >> The way the lz4 code is currently embedded in libsvn_subr makes it
> >> awkward to add support for an external liblz4.
> >
> > I agree that an external library should be used during the build.
> > It makes life a lot easier for packagers on Unix-style systems,
> > and is the expected de-facto standard in that ecosystem.
>
> I would very much prefer if we didn't have the mandatory dependency on
> the external LZ4 library.

That's not what is being proposed. It's fine if the build can optionally
use a copy provided by the user, or even a copy embedded in our code.
But using that internal copy should not be mandatory.

Who will be blamed if, in the future, a package manager for some Linux/BSD
system fixes an exploitable bug in lz4, and accidentally leaves some systems
vulnerable because of a missing patch to SVN's internal copy?
Received on 2017-07-26 16:11:44 CEST