Overview
Features
Download
Documentation
Community
Add-Ons & Services

Possibility to unbundle sqlite3, zlib, expat and pcre

General discussion regarding the development of POCO for contributors.

Possibility to unbundle sqlite3, zlib, expat and pcre

Postby devzero » 21 Aug 2009, 19:09

Hi everyone

Even though bundling certain libraries may be convenient for users such that they don't have to install third party libraries before being able to use Poco, the recent security bugs (http://www.cert.fi/en/reports/2009/vuln ... 09085.html, the reason python is on the list is because it comes with a bundled expat which is vulnerable) show that it may be dangerous.
So, here's the request: please make it optional to use the bundled libraries. For my part (being maintainer for Gentoo's poco package) it would save me a lot of work to patch the sources everytime a new version comes out.

Thanks in advance,
Cheers,
Tiziano
devzero
 
Posts: 2
Joined: 21 Aug 2009, 18:57

Re: Possibility to unbundle sqlite3, zlib, expat and pcre

Postby alex » 21 Aug 2009, 22:00

This has been discussed before and the problem with it is twofold:

1) someone needs to do the work
2) supporting unspecified versions of the libraries is hard

I would personally not be opposed to the (optional) use of libraries pre-installed on the target system, provided someone volunteers to do the work and we warn the users of such setup they are on their own.
alex
 
Posts: 1130
Joined: 11 Jul 2006, 16:27
Location: United_States

Re: Possibility to unbundle sqlite3, zlib, expat and pcre

Postby paroga » 09 Dec 2009, 14:54

When creating a package e.g. for debian you must use the system libraries because of security reasons.
I agree that this should only be optional and not the default behaviour. What is the prefered solution to get it into the official release? My currently suggestion is to add a --use-systemlibs to configure and #define POCO_USE_SYSTEMLIBS to Config.h. If it's ok, i will create a patch.

http://lists.debian.org/debian-mentors/ ... 00648.html
http://sourceforge.net/tracker/index.ph ... atid=72571
http://patch-tracker.debian.org/patch/s ... lib.dpatch
paroga
 
Posts: 5
Joined: 09 Dec 2009, 14:12
Location: Austria

Re: Possibility to unbundle sqlite3, zlib, expat and pcre

Postby alex » 11 Dec 2009, 01:45

paroga wrote:I agree that this should only be optional and not the default behaviour. What is the prefered solution to get it into the official release? My currently suggestion is to add a --use-systemlibs to configure and #define POCO_USE_SYSTEMLIBS to Config.h. If it's ok, i will create a patch.


I have no problem with it. Guenter is the one to give a final blessing, though.
alex
 
Posts: 1130
Joined: 11 Jul 2006, 16:27
Location: United_States

Re: Possibility to unbundle sqlite3, zlib, expat and pcre

Postby guenter » 11 Dec 2009, 13:31

I have made the necessary changes to the Makefiles, configure script and sources so that you can now call ./configure --unbundled
A few notes:
- Foundation still needs some internals (Unicode tables) from pcre for its Unicode support, so in the case of --unbundled we're still including two PCRE source files (pcre_ucd.c and pcre_tables.c)
- PCRE 7.8 or newer is required (some tests fail with PCRE 7.4 from Ubuntu 8.04). Also PCRE must be built with UTF-8 support.

You can find the changes in the svn 1.3.6 branch.
guenter
 
Posts: 1135
Joined: 11 Jul 2006, 16:27
Location: Austria


Return to Contributors

Who is online

Users browsing this forum: No registered users and 1 guest

cron