New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please allow bypassing bundled libs (so that system package equivalents are used, instead) #90

Closed
hartwork opened this Issue Jul 20, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@hartwork

hartwork commented Jul 20, 2018

Hi Martin,

dvisvgm bundles a number of libraries, some of which have standalone packages in modern Linux distributions. Inspecting the libs folder I find these bundled dependencies (— and their avalability in Gentoo for an example):

  • brotliapp-arch/brotli 1.0.5
  • clipper — n/a
  • ff-woff — n/a
  • variantdev-libs/boost 1.65.0
  • woff2media-libs/woff2 1.0.2
  • xxHashdev-libs/xxhash 0.6.4

When a vulnerability (or some other bug) in one of these dependencies is fixed, the user only benefits with the next release of dvisvgm, provided you keep all of these up to date yourself for every release. It would be awesome, to have configure options to compile and link against system wide versions of these packages so that when they are updated all using apps — including dvisvgm — get the fix.
There is more on that topic at https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies but it's not specific to Gentoo; Debian tries to patch out bundled dependencies as well. If there were options to bypass the bundles, it would make user life more secure and downstream life less patching effort.

What do you think?

@mgieseki

This comment has been minimized.

Show comment
Hide comment
@mgieseki

mgieseki Jul 21, 2018

Owner

Hi Sebastian,

actually, unbundling some of the libraries is already on my to-do list since we also have a no-bundled-libraries policy for Fedora. The unbundling currently takes place in the spec file used to build the rpm. I've kept the libraries for now to simplify building dvisvgm for TeX Live.

I'll discuss the topic with the TeX Live maintainers and will probably unbundle brotli, woff2 and xxhash. ff-woff is a reduced version of libfontforge where the latter can be used alternatively. On Windows the latter is hard to build. Therefore, I'm currently working on a complete replacement for ff-woff.

As I'd like to avoid adding a dependency on boost, I chose the C++17-compliant variant class by mpark which is a is a header-only implementation. So there's no binary code linked in this case.

Owner

mgieseki commented Jul 21, 2018

Hi Sebastian,

actually, unbundling some of the libraries is already on my to-do list since we also have a no-bundled-libraries policy for Fedora. The unbundling currently takes place in the spec file used to build the rpm. I've kept the libraries for now to simplify building dvisvgm for TeX Live.

I'll discuss the topic with the TeX Live maintainers and will probably unbundle brotli, woff2 and xxhash. ff-woff is a reduced version of libfontforge where the latter can be used alternatively. On Windows the latter is hard to build. Therefore, I'm currently working on a complete replacement for ff-woff.

As I'd like to avoid adding a dependency on boost, I chose the C++17-compliant variant class by mpark which is a is a header-only implementation. So there's no binary code linked in this case.

@mgieseki mgieseki self-assigned this Jul 21, 2018

@hartwork

This comment has been minimized.

Show comment
Hide comment
@hartwork

hartwork Jul 21, 2018

If there was a way to use system brotli, woff2 and xxhash, that would be awesome.

hartwork commented Jul 21, 2018

If there was a way to use system brotli, woff2 and xxhash, that would be awesome.

@mgieseki mgieseki closed this in edd9067 Jul 30, 2018

@mgieseki

This comment has been minimized.

Show comment
Hide comment
@mgieseki

mgieseki Jul 30, 2018

Owner

I added the new option --enable-bundled-libs to the configure script which must now be used to link the bundled libraries brotli, woff2, and xxhash, i.e. it retains the previous behavior. If it's omitted, configure looks for the corresponding system libraries.

Owner

mgieseki commented Jul 30, 2018

I added the new option --enable-bundled-libs to the configure script which must now be used to link the bundled libraries brotli, woff2, and xxhash, i.e. it retains the previous behavior. If it's omitted, configure looks for the corresponding system libraries.

@hartwork

This comment has been minimized.

Show comment
Hide comment
@hartwork

hartwork Jul 30, 2018

Pretty cool, even with bundles off by default, nice!

Two small things caught my attention:

hartwork commented Jul 30, 2018

Pretty cool, even with bundles off by default, nice!

Two small things caught my attention:

@mgieseki

This comment has been minimized.

Show comment
Hide comment
@mgieseki

mgieseki Jul 30, 2018

Owner

Good catches. I've fixed the readme/website issues locally and will push them shortly.

Owner

mgieseki commented Jul 30, 2018

Good catches. I've fixed the readme/website issues locally and will push them shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment