[Vm-dev] [OpenSmalltalk/opensmalltalk-vm] third-party: Stop building/using vulnerable software (#386)

Ben Coman notifications at github.com
Thu Jun 27 15:31:25 UTC 2019

On Thu, 27 Jun 2019 at 03:01, Eliot Miranda <notifications at github.com>

> @ronsaldo <https://github.com/ronsaldo> this morning wrote:
> "need a server for holding them."
Could use github "releases" (
It won't change too often so doesn't need something high volume like

> and I replied
> I think the best thing to do is to
> a) have a directory in each build.foo* which includes the pre-built
> support libraries
> b) have a separate repository to build the support libraries
Consider having a separate mirror-repo for each third-party library.

Libraries that are github hosted can just be forked.
e.g.  https://github.com/freedesktop/cairo

Libraries that are git based by hosted elsewhere can be cloned and pushed
to opensmalltalk-vm account with full history e.g.

Libraries with a git repo can just be untar'ed locally and pushed via git
to opensmalltalk-vm account
(I only spot checked, but didn't bump into a library not using git)

The thing I'm not clear on is whether there are inter-dependencies between
third-party libraries to be kept in sync.
But anyway this can be done via the library.spec files.

cheers -ben

c) a workflow where when a new version of a library is needed one checks
> out repository b) and builds, and then replaces the libraries in a) and
> commits. That is what I'm doing with Terf. See
> terf-cogvm/platforms/Cross/third-party/lib.macos32x86 & lib.macos64x64.
> And he agrees.
> So was soon as possible we should split the repository to create e.g.
> opensmalltalk-third-party and stop rebuilding third-party software
> unnecessarily. We do have to decide where the products live on
> opensmalltalk-vm. I propose that they live in build.*/third-party/lib

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/vm-dev/attachments/20190627/c222f373/attachment.html>

More information about the Vm-dev mailing list