-
Notifications
You must be signed in to change notification settings - Fork 37.6k
docs: Add info about factors that affect dependency list #15222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
ACK - looks good to me |
This PR reduces clarity of the build instructions, IMO. |
@hebasto Granted, some information is lost, but I felt it was not crucial to tell the user for what reason librsvg is needed. Do you think it is important? If so, why? |
Yes.
The task of any docs is to provide a user with clear and relevant info. |
@hebasto Then maybe the instructions should state exactly why every dependency is needed? :) |
I'm not a fan of removing this information. Currently https://github.com/bitcoin/bitcoin/blob/master/doc/dependencies.md points back to the OS specific build instructions for more information. macOS instructions are far less detailed than Linux at the moment, and I've often just looked there. Maybe we can add a section where we briefly mention which dependencies can be avoided or added:
(not sure about the others) I'm fine with including |
@Sjors |
Agree, it slightly reduces the information for no good reason IMO. |
a0d6cd6
to
0c8cf22
Compare
Updated. I added the info provided by @Sjors as a new column in |
doc/dependencies.md
Outdated
| zlib | [1.2.11](https://zlib.net/) | | | | No | | ||
| Dependency | Version used | Minimum required | CVEs | Shared | [Bundled Qt library](https://doc.qt.io/qt-5/configure-options.html#third-party-libraries) |Notes| | ||
| --- | --- | --- | --- | --- | --- | --- | | ||
| Berkeley DB | [4.8.30](https://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index.html) | 4.8.x | No | | |Not needed if you compile with `--disable-wallet`, or `--with-incompatible-bdb`| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Building with --with-incompatible-bdb
option does not make Berkeley DB dependency unneeded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From Ubuntu & Debian Dependency Build Instructions:
Ubuntu and Debian have their own libdb-dev and libdb++-dev packages, but these will install BerkeleyDB 5.1 or later. This will break binary wallet compatibility with the distributed executables, which are based on BerkeleyDB 4.8. If you do not care about wallet compatibility, pass
--with-incompatible-bdb
to configure.
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
I don't think adding the extra column to the table in dependencies is the right approach. Try adding a new section at the bottom instead "Configuration options". There you can explain the effect of each Regarding Berkeley DB: it's used by the wallet, so you don't need it at all if you compile with P.S. I didn't know Github integrated so well with the |
Still tend toward NACK.I think it's better to keep this information where it is and can be easily found. |
Thanks for weighing in, @laanwj. I see your point. As @Sjors writes above, the main target audience for these instructions is probably users, not developers. As a result, I think it makes a lot of sense to think along the lines of "convention over configuration" and hide complexities wherever possible. Taking away non-crucial info can greatly improve docs like these, sometimes. Having said this, I admit that this PR (that started as a small simplification) may be growing over my head. I may not see the full implications of centralizing dependency info for several platforms into one place. Nonetheless, @Sjors' suggestion to extend |
Since I got some pushback against the change to simplicification of the build instructions, this PR has now "pivoted" into being about the added dependency info only. @Sjors, I intentionally omitted the info about |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so now it's strictly adding information, which should not be controversial.
Travis ran into a linter issue (some trailing whitespace, most code editors have an option to prevent that).
ACK a59529e |
utACK a59529ed2c579d015e7867eb23ba353b7a616bec |
Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
Updated after comments from @flack. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re-ACK 55e05a8
@@ -17,6 +17,7 @@ These are the dependencies currently used by Bitcoin Core. You can find instruct | |||
| libevent | [2.1.8-stable](https://github.com/libevent/libevent/releases) | 2.0.22 | No | | | | |||
| libjpeg | | | | | [Yes](https://github.com/bitcoin/bitcoin/blob/master/depends/packages/qt.mk#L65) | | |||
| libpng | | | | | [Yes](https://github.com/bitcoin/bitcoin/blob/master/depends/packages/qt.mk#L64) | | |||
| libsrvg | | | | | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a bunch of CVE's for librsvg, though afaik they all involve a specially crafted SVG file. Since we don't let users open arbitrary images, I doubt they matter. So that also means we don't have to recommend a minimum version.
@laanwj thoughts on what to put in the CVE column in this case (current PR leaves it blank)? Either way I think that can wait for another PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of an abundance of caution, I would just set the minimum to 2.41.2 which fixes the most recent CVE. It's almost a year old, which is ancient for most macOS users :-)
However it seems our macOS Gitian build would then be in violation of that, since Bionic is still at 2.40, and they don't even list this CVE in their tracker.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right—if it's linked into bitcoin-qt itself—and not a side dependency used for tooling only—these kind of indirect vulnerabilities could still be a problem. In many cases exploitation involves multiple stages, where one exploit is able to insert something into memory which another bug will stumble over, eventually resulting in RCE. So in that case it should be mentioned.
This is pretty useful info now, thanks! |
55e05a8 Added some factors that affect the dependency list (Martin Erlandsson) Pull request description: To simplify build instructions, the librsvg formula should be moved to the main `brew install ...` command, in my opinion. It is not a big problem to install a single extra formula, and it will only be unused for some users. An additional reason for this change is that I would like to add a comment (in a future PR) about making sure you have the latest version of all deps (in the case of preexisting formulae). That comment can be authored more clearly if this simplification PR is merged. Tree-SHA512: e63284a4e0584f071a920f6b8ac46694de38e7b1df1e0dc2b00262c1487a2f2851fae721e8f4907a4aad0335f287e881974df6f9d05fe9b26f0ba71033dce145
Summary: Backport of core [[bitcoin/bitcoin#15222 | PR15222]]. Test Plan: Read the doc. Reviewers: #bitcoin_abc, deadalnix Reviewed By: #bitcoin_abc, deadalnix Differential Revision: https://reviews.bitcoinabc.org/D5637
To simplify build instructions, the librsvg formula should be moved to the main
brew install ...
command, in my opinion.It is not a big problem to install a single extra formula, and it will only be unused for some users.
An additional reason for this change is that I would like to add a comment (in a future PR) about making sure you have the latest version of all deps (in the case of preexisting formulae). That comment can be authored more clearly if this simplification PR is merged.