[Nagiosplug-devel] Libtap included in distribution

Jan Wagner waja at cyconet.org
Fri Aug 22 21:02:16 CEST 2008


Hi there again,

I feel a bit worried about some reactions on my mail. It was not my intention 
to start any flamewars. Maybe I did not choose the words with the correct 
nuance. :/

On Friday 22 August 2008 18:12, sean finney wrote:
> on the issue of embedding 3rd-party code, i think the situation is a little
> more nuanced then "include it or do not include it".  my personal
> recommendation, from having worked in this and other projects that wish to
> do so, as well as with the debian security team who often have to deal with
> the problem, is roughly as follows:
>
> 	"embedding code is okay, as long as you do not force users/packages/etc to
> 	 use your embedded version"
>
> providing bundled code is a great way to ensure cross platform /
> environment consistency.   however, as jan mentioned, this has security
> implications if the bundled code ever has a serious security problem, or
> otherwise requires an update.

[...]

> debian and others choose to build such packages using the distro-provided
> libraries instead, thus making bundled code unneeded but ultimately
> harmless. in most/ideal cases it's just a matter of passing --with-foo=/usr
> or similar to a configure script which will override the default behaviour
> of using the bundled version.
>
> if nagios-plugins could/does provide similar functionality, i think the
> problem is essentially moot.
>
> however, note that "do not force them to use your version" also means you
> shouldn't make any incompatible changes to the bundled code, as it would
> prevent others from using their local system versions.  i saw some mention
> earlier of needing to make a change in libtap for example.... though maybe
> that's not as grave since upstream work for that seems dead (you should
> email your patch anyway, as well as have it documented for posterity
> though, i'd say).

Sean, thanks for your wonderfull explanation. It's expressing exactly my 
opinion about the situation. 
As far there is no strong depency on the embedded code copies, I think it's 
just fine. Just after writing my mail I did give latest svn snapshot a try 
with removed libtap from source tree and I recognized, it compiles fine. So 
in this case I have the option to avoid using the embedded libtap.
Idealy there would be an option to use a external libtap via an option as sean 
described, but as far as I understand you modified your shipped libtap, so 
this wouldn't be an equivalent replacement for your version of libtap.

> also, as an aside, i don't think libtap is packaged in debian at the moment

No it isn't, but as long as it's possible to avoid using the shipped libtap, 
that would be fine.

> (i tried packaging it a year or two back and ran into some problem before
> losing interest), though i do see gnulib packages.

For gnulib the situation is a way different. You depending heavily on (your 
shipped) gnulib and there is no way neither to avoid using the shipped gnulib 
code nor using a external gnulib copy. Is there a possibility that you 
provide --path-gnulib= or something like that in the future? For example 
Debian has a package gnulib which can be used for this (if you don't changed 
anything in your embedded copy or don't rely on this modifications) I guess.

With kind regards, Jan.
-- 
Never write mail to <waja at spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
------END GEEK CODE BLOCK------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20080822/c23f2989/attachment.sig>


More information about the Devel mailing list