New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Alien::cmark to find or build libcmark #9
base: master
Are you sure you want to change the base?
Conversation
Looks nice but I'd like to retain the feature to use a custom version of libcmark installed in a custom directory. This is currently done by passing arguments |
I'm not sure if there's a specific way for Alien::Build to use it, but if pkg-config and PATH can be set up to indicate the custom location then Alien::cmark will use it. |
Also, what happens if |
It installs it in the Perl share directories, which in practice is somewhere in |
One way you could get Alien::Build to use a custom system library mentioned by @plicease would be If you specifically want to support the current method of supplying args to EUMM, then an alternative is keeping the current method of linking to the system library but using Alien::cmark as a fallback. This is a lot more complex but doable. |
How would this work on non-Linux systems where pkg-config typically isn't available? I'm also concerned about security updates to libcmark. In many cases, libcmark is used to process untrusted Markdown over the network and security issues in a C library can have severe consequences. Having a vulnerable library somewhere in I'd much prefer a solution that only falls back to Alien::cmark on explicit user request or if the AUTOMATED_TESTING environment variable is set. But as you said, this is a lot more complex. |
There is a lot to unpack here, but I don't see how the security concerns to installing software from a known location over https from github are significantly greater than downloading modules from CPAN. Upgrades to Aliens generally download the latest stable version of a package, but sometimes there are good reasons to download a fixed version. If the version does need to be fixed in the alien, then the Alien can be updated and released to match the appropriate version. In the few cases where this is necessary I haven't found it overly onerous for committed maintainers. A protection against this is to have a few maintainers share co-maint in the event that one is not available.
Requiring explicit user request does sort of defeat the purpose of making it easy to install out of the box, but I can see if it were appropriately documented it would be at least easier. |
Incidentally, although the default is to attempt a share install, |
Apparently only if PkgConfig.pm is installed. Even if PkgConfig.pm fully supported Windows with its various flavors, MacOS, and whatnot, this would add another dependency.
I'm not talking about the source download but what happens if a security issue in libcmark is discovered and the library has to be upgraded to a newer version.
But it's unlikely that users know about this procedure (or
For Alien::cmark, the version seems to be hardcoded, maybe because there's simply no way to discover the latest GitHub release. Anyway, the libcmark API isn't stable yet and automatically downloading the latest release isn't a good idea as it could suddenly break things. But there should be an easy way for users to install or upgrade to a specific libcmark version on all platforms.
Yes, but for now, I'd prefer a bit of inconvenience over the issues mentioned above. |
It is also possible to use multiple detection strategies in a single I also find that
Well, if you are using the system cmark then you should get the system updates through the normal update process. If you happen to have used the version downloaded from source, as mentioned this can be upgraded either by re-installing the Alien, or by using
I certainly agree that this is a potential concern, however, I also believe that users that are processing random input off the internet without auditing the modules that they are using to process it, and their dependencies probably have a lot more to worry about that missing an update for libcmark.
@Grinnz can probably explain better than myself, but I think maybe you answered your own question? If the API isn't stable downloading the latest stable version doesn't mean anything. If/when it does stabilize it might make sense to use the latest stable (or latest stable within a range perhaps?). Any of these are pretty easy to do from the alienfile. Currently the "easy" way to upgrade a specific libcmark is to download it manually and install into a directory and use
No problem, this is your module and it is up to you. I am sure that @Grinnz and I can help re-work this PR to make this opt-in as you prefer. We have modified a number of CPAN modules to use Aliens and haven't really had any adverse problems as a result. |
Regarding Alien::cmark's hardcoded version - It could be updated to retrieve the latest version from github but as you noted this may not be desirable. It may also be possible to retrieve the latest version at a maximum (not inclusive) of 1.0.0, until Alien::cmark itself is updated to the 1.0.0 branch for example. I am willing to set that up however you wish, there are no other consumers of the Alien at the moment. You can also require that Alien::cmark provide a specific version range like the example atleast_version in the PR - this won't change what it will download and build, but will bail out if the share or system version it's providing isn't a satisfactory version. |
For module authors such as yourself would prefer an explicit opt-in from users before falling back on an Alien, I think the best mechanism would be to fallback on an Alien if the https://metacpan.org/pod/Alien::Build#ALIEN_INSTALL_TYPE As mentioned above values of |
The Alien::Build system allows creating modules that provide an interface to link against the system version of a library if appropriate, or otherwise download and install the library into Perl sharedirs (share build).
I've released Alien::cmark which can provide libcmark in this way, so it could be used by this module instead of relying on the user to have installed libcmark and its headers, thus making
cpan CommonMark
"just work" for most users (provided they have a C compiler). It uses pkg-config to determine if there is an appropriate system version to use.Currently, Alien::cmark requires a minimum libcmark version of 0.21.0 as does this module, but I included a version check for the generated Makefile.PL here as well (possible since Alien::Base 1.55). The share build will install the latest version as of the Alien::cmark release.