On 27 May 2010 23:36, Geoffroy Couprie geo.couprie@gmail.com wrote:
On Thu, May 27, 2010 at 10:29 PM, Igor Stasenko siguctua@gmail.com wrote:
On 27 May 2010 20:37, Bert Freudenberg bert@freudenbergs.de wrote:
Squeak was recently removed from Gentoo Linux Ebuilds because of security issues in our bundled plugins:
http://bugs.gentoo.org/show_bug.cgi?id=247363
While it is convenient for us to bundle external library sources, package maintainers do not like that practice. Is there anything we can realistically do about it?
Here's my argument:
These libraries are bundled, because Squeak VM could be built on a system which having no such libraries provided by default. To ensure bit-identical behavior on all platforms, Squeak developers cannot rely on a platform-specific versions of these libraries, because they can vary from one system to another.
If they're not there by default, you can still link dynamically to the libraries and provide them with squeak. Also, if the libraries provided by the distribution have the same major version as the one you use, you can expect compatibility, and profit from the regular updates.
You seem misunderstood a key point there: bit-identical behavior. Which means that VM should provide same output on same input on all platforms. Chances that it will be so, when you using different versions of same library are pretty low. So, we can update the libraries, bundled with VM, but can't link with them dynamically, because this undermines the above.