[Vm-dev] [OpenSmalltalk/opensmalltalk-vm] third-party: Stop building/using vulnerable software (#386)

[Eliot Miranda]

Hi Holger, I heartily agree with you that this is an important issue.  In talking with @ronsaldo this morning he wrote

"The painful change is building all of these third party dependencies with cmake. And cmake is not suitable at all for doing this. I would like to remove these third party dependencies on the near future, but for doing this we need a server for holding them."

and I replied

I think the best thing to do is to
a) have a directory in each build.foo* which includes the pre-built support libraries
b) have a separate repository to build the support libraries
c) a workflow where when a new version of a library is needed one checks out repository b) and builds, and then replaces the libraries in a) and commits.  That is what I'm doing with Terf.  See terf-cogvm/platforms/Cross/third-party/lib.macos32x86 & lib.macos64x64.

And he agrees.

So was soon as possible we should split the repository to create e.g. opensmalltalk-third-party and stop rebuilding third-party software unnecessarily.  We do have to decide where the products live on opensmalltalk-vm.  I propose that they live in build.*/third-party/lib

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/OpenSmalltalk/opensmalltalk-vm/pull/386#issuecomment-506004385
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/vm-dev/attachments/20190626/e39485e0/attachment.html>