Revert "windows: distribute vcredist loose files" #11068
Conversation
|
How is it not covered under the "compiler, kernel, and so on" statement? |
|
In order for the system library exception to apply, both of these conditions must be fulfilled:
We are currently complying with the first condition but not the second. Why the GPL includes this second condition is described at https://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL. |
|
The reason it includes it is to be a pain in the ass. Oh well, whatever. If we abide by that it means we cannot support per-user installation (well, it would be supported with msix). A bit idiotic. Will also have to use #11051 to invoke the vcredist installer. |
|
I can see the argument tho. If one includes it for convinience, the chance that it might not be the original build but a malicious one goes up by a lot. Not having it there in first place gets that out of the picture. |
|
BS argument imo. If you care about that, then you need a real way to tell. the msvcrt files are authenticode signed so such a thing is possible. |
|
Authenticode only provides authenticity though, doesn't it? I don't recall it preventing execution if it wasn't signed (or signed differently); like a strong name in .NET |
I don't think GNU people give two hoots here about security. Their argument was simply it may be a loophole for any non-GPL libraries linked in to not be covered under GPL, so they stipulated that the system library cannot come with the program to be counted as a system library. (Of course forcing libraries linked over to be under GPL is BS anyways but that's the BS you deal with using GPL annoyingly) |
Windows can be configured to block execution/loading of any files which do not meet policy based on many things, signer being one of them. I was just providing an example why the argument doesn’t work, it’s not like it matters in this context though. |
Doesn't including the vcredist installer also violate this? It is just a package containing the DLLs, anyway. (Internally the installer may fetch DLLs from the network, as well). |
That's where it becomes a matter of interpretation. I don't think I can safely claim anything one way or another regarding this. |
|
Did you consider bundling the Wine implementation instead? That one is LGPL. This was one suggestion in a Stack Exchange thread regarding the same issue. |
|
That is the C runtime, not the C++ runtime. |
|
Would anyone object if I merged this today? A discussion on what we could do in the future is good to have, but for now I'd like to just go back to the status quo so that we're not blatantly violating the GPL anymore. |
|
You're probably aware of this, but Microsoft released their STL under the Apache License 2.0 with LLVM Exception: https://github.com/microsoft/STL. Does that change anything in regards to the GPL? I would think that would make it OK if you're only including the C++ standard library, but IANAL. I don't think it would be too hard to add a build-bot job to build the C++ standard library from that repo if you're concerned about proving provenance. |
From the GPLv2 (emphasis added):
By shipping the Visual C++ DLLs with the executable, the system library exception no longer applies, meaning we're obligated to provide source code for the DLLs. This is of course impossible.
Text to the same effect is also present in the GPLv3.