New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to using ament_vendor_package for lz4. #1583
Conversation
@clalancette Any idea why
I am pretty sure it is unrelated to the changes from this PR, but still unclear for me what is wrong with it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@clalancette @cottsay If I am not mistaken and recall correctly, the reason why we didn't "vendorize" lz4
at the very beginning and use it directly during the compilation of the mcap
library from sources is because:
lz4
is released under the dual license. From the https://github.com/lz4/lz4?tab=License-1-ov-fileIt turns out, if do it the way how it is done in the current PR. i.e. mix and match by compiling everything fromThis repository uses 2 different licenses : - all files in the `lib` directory use a BSD 2-Clause license - all other files use a GPLv2 license, unless explicitly stated otherwise
lz4
sources into the vendor package library and then link against it in themcap
library. Themcap
library will become poisoned by theGPLv2 license
and everything else downstream linking mcap library will become poisoned by theGPLv2 license
!!!
It might be "ok" for open source projects but certainly NO-NO for any commercial products. The consequences will be that all closed-source "poisoned" by theGPLv2
code or library will automatically become under theGPLv2
license and could be enforced to be open sourced.
Originally we workaround this problem by using explicitly only those part of thelz4
which is under theBSD
license via
file(GLOB _lz4_srcs
${lz4_SOURCE_DIR}/lib/*.c)
add_library(mcap SHARED
src/main.cpp
${_lz4_srcs}
)
- No one else uses
lz4
anywhere else in the other ROS 2 core packages.
@clalancette I recall one more argument as to why we didn't "vendorize" |
I'll have to look at this one in more detail, though clearly I am not a lawyer so there's only so much I can do. All I'll say is that it seems very dicey to rely on that from a legal point-of-view.
This part doesn't really matter; that's the case for e.g.
This would be extremely surprising. The only way I can think that would happen would be if the compiler inlined everything. |
@clalancette My major concern is a viral "infection" of other libraries and executables by the Curious, if we can include in the |
I honestly don't think this is going to be much of a difference. In particular, we are still only building those same BSD-licensed files; the only difference is that we are now using a bit more of the build infrastructure. But I am not a lawyer and I cannot give legal advice. In all honesty, if this is a huge concern we should not be using lz4 at all, and should switch to something where the license is clearer. |
All right. As we discussed, my latest push here renames the package to Note that this now requires ros/rosdistro#40263 to go in first, since that makes an explicit distinction between liblz4 (the runtime library) and liblz4-devel (the development libraries). @cottsay @MichaelOrlov Please take another look when you get a chance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@clalancette 👍 LGTM.
Here is CI for it. Note that we can't merge this until we merge ros/rosdistro#40263, but at least we can be ready to go: |
@clalancette I know you wrote this as the justification - but I'm wondering about the justification that led to this being the approach?
Does this open the possibility that other packages can depend on this new vendor package? What if you don't want that to be the case and prefer to have this as an internal dependency? What you have here seems fine but I was curious at the reasoning for making something that was previously internal now external. |
It does open this possibility, yes. However, I will point out a few things:
|
FWIW I've found this a hinderance in the past. System versions can sometimes be out of date and also drift which makes reasoning about which actual version of the library you have built against difficult. At a previous place of work we had a large effort to never depend on any system library for the robotics stack. Might be something to consider for the future. |
Heh. That is the exact opposite of our policy, which is to use system versions wherever possible. If you don't do this, then you make it dangerous to use the system version of anything, because then you run the risk of multiple libraries presenting the same API but with different ABIs. It is part of being in the ecosystem. |
Worth calling out is that you can absolutely specify the I think that for a general user, the risk of ABI collision, additional build time, and additional file size, are not worth the cost, but there has always been a mechanism to opt-out of using system packages for vendor payloads. |
All right, all of the CI failures are known flakes. We still have to merge in ros/rosdistro#40263 first, so I'll wait for that to happen before merging this. |
All right, I've merged in all of the necessary changes elsewhere. I'm going to run one more set of CI on this after rebasing on the latest, then merge this in. |
This is more explicit, and more like how we vendor the rest of the packages in our ecosystem. Signed-off-by: Chris Lalancette <clalancette@gmail.com>
Signed-off-by: Chris Lalancette <clalancette@gmail.com>
This is to make it clear that we are only vendoring the library portion, which is BSD, rather than the rest of it, which is GPL. Signed-off-by: Chris Lalancette <clalancette@gmail.com>
2462660
to
12a6624
Compare
I kind of lost this one in the shuffle, but it looks like CI was all green, and there have been no changes to this repository since then. It is also approved, so going ahead and merging this one. |
This is more explicit, and more like how we vendor the rest of the packages in our ecosystem.
Note that this is the first of two PRs to switch
mcap_vendor
over to usingament_vendor_package
. We want to do that to make it more like the other vendor packages in the core, and to fix building of binarymcap_vendor
packages on Noble (we currently have a hack that allows us to do this, but we would like to get rid of it).