From Fedora Project Wiki

(apt-cacher-ng does not ship private sha1 lib anymore)
 
(5 intermediate revisions by 4 users not shown)
Line 66: Line 66:
Many instances of sha1.c<ref>There are multiple sha1 implementations.  The ones that have an actual library (libnss, libgcrypt, openssl, etc) are not covered by this case.  The ones that are copied from other applications are.</ref>
Many instances of sha1.c<ref>There are multiple sha1 implementations.  The ones that have an actual library (libnss, libgcrypt, openssl, etc) are not covered by this case.  The ones that are copied from other applications are.</ref>
</td><td>
</td><td>
bundled(sha1-$IMPLEMENTATION)<ref>Change $IMPLEMENTATION depending on which implementation of sha1 is being bundled.  The ones known so far are the Uwe Hollerbach-Peter C. Gutmann version (bundled(sha1-hollerbach)) as found in [http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/?C=M;O=D apt-cacher-ng]</ref>
bundled(sha1-$IMPLEMENTATION)<ref>Change $IMPLEMENTATION depending on which implementation of sha1 is being bundled.  Oneknown previously known was the Uwe Hollerbach-Peter C. Gutmann version (bundled(sha1-hollerbach)) that was found in older releases of apt-cacher-ng [https://pagure.io/packaging-committee/issue/407]</ref>
</td><td>
</td><td>
copylib
copylib
Line 256: Line 256:
</td><td>
</td><td>
jquery-rails bundles specific versions of jQuery {1,2,3} and system versions might differ from time to time.
jquery-rails bundles specific versions of jQuery {1,2,3} and system versions might differ from time to time.
</td></tr>
<tr><td>
pip bundled in python34, python35, python36
</td><td>
bundled(python3-pip)
</td><td>
These are additional compat interpreters aimed only for testing code
</td></tr>
<tr><td>
setuptools bundled in python34, python35, python36
</td><td>
bundled(python3-setuptools)
</td><td>
These are additional compat interpreters aimed only for testing code
</td></tr>
<tr><td>
Bundled in WebKitGTK+ (webkitgtk4 package)
</td><td>
bundled(angle)
</td><td>
ANGLE does not have a stable API, is difficult to update, and the version used must match that expected by WebKit, so it would be very difficult to unbundle.
</td></tr>
<tr><td>
OpenSSL bundled in edk2
</td><td>
bundled(openssl)
</td><td>
Virtual machine firmware is compiled with a different ABI than the host (and in fact it might not even be running on the same architecture as the host---e.g. ARM firmware on x86).
</td></tr>
</td></tr>



Latest revision as of 20:06, 8 January 2023

A list of packages with known bundled libraries and their virtual provides

Library

Provide

Reason

Any binc

bundled(binc)

copylib

Many modules from ccan

bundled(bobjenkins-hash)
bundled(ccan-container_of)
bundled(ccan-htable)
bundled(ccan-list)
bundled(ccan-check_type)
bundled(ccan-build_assert)

copylib. CCAN is hard to track for two reasons: (1) CCAN encourages people to bundle individual files from its collection rather than a single library. (2) Often the individual modules are from code which is also maintained separately in another location. For these reasons, each module from CCAN needs to have its own virtual provide. Please open a new bundling exception if you wish to use a module from CCAN that is not already listed here.

Any egglib

bundled(egglib)

copylib - see this link: https://fedorahosted.org/fpc/ticket/174

Any gnulib

bundled(gnulib)

copylib - see this link: https://fedorahosted.org/fpc/ticket/174

Any libiberty

bundled(libiberty)

copylib - see this link: https://fedorahosted.org/fpc/ticket/174

Many instances of md5.c[1]

bundled(md5-$IMPLEMENTATION)[2]

copylib

Many instances of sha1.c[3]

bundled(sha1-$IMPLEMENTATION)[4]

copylib

time-api's use of timex from openjdk8

bundled(openjdk8-javax-time)

Reverse bundling providing a backwards compat API

unac's recoll

bundled(recoll)

this recoll has changes that are not applicable to other applications.

TexStudio's qcodeedit

bundled(qcodeedit)

TexStudio contains a forked copy of qcodeedit 2, which is at least two years dead. Since TexStudio is the only user, there is no benefit to a separated library, and permission to bundle has been granted.

binutils libraries (libbfd, libcpu, libopcodes, libdecnumber)

bundled(binutils)[5]

If the package in question shares the same upstream as binutils (sourceware.org), they may bundle these libraries. This is because the libraries are developed by the application authors as common functionality shared between several applications. Being developers of both, they'll be intimately aware of both issues that arise in the libraries and know how to port to newer versions of the library as needed. Note that, at the moment, all of these applications and libraries come from sourceware.org but not all of them are used in binutils. The name was chosen as it seemed to be the more permanent and recognizable name.

Spring RTS's lua implementation

bundled(lua)

Spring RTS includes a forked and bundled copy of Lua which has Spring RTS specific patches applied, must link to streflop, and is configured differently from stock Lua (most importantly it needs lua_Number to be a float and not a double). Lua is particularly important because parts of the game code may be written in it, which must yield exactly identical results (also floating point operations!) on all platforms.

Any okjson

bundled(okjson)

copylib[6]

libreplace in samba libraries

bundled(libreplace)

If the package in question shares the same upstream as samba, they may bundle the libreplace library. This is because the libreplace library is developed by the application authors as common functionality shared between several applications. Being developers of both, they'll be intimately aware of both issues that arise in the libraries and know how to port to newer versions of the library as needed.

boost in passenger

bundled(boost)

Due to the intrusive nature of the forked changes, the efforts of the maintainer to merge as many of them as possible into the upstream boost source tree, and the visible efforts of the upstream to keep the bundled copy of boost in sync with the current boost releases. The maintainer, wako666, made efforts to redesign and merge the boost patches back to upstream boost. See https://fedorahosted.org/fpc/ticket/160 .

pyPdf in calibre

bundled(pyPdf)

Due to the intrusive nature of the forked changes, the specificity of the changes to calibre, and the fact that pyPdf seems to be abandoned upstream. See https://fedorahosted.org/fpc/ticket/167 .

libtidy in sigul

bundled(libtidy)

Due to libtidy being dead upstream and the code being modified to handle epub instead of html. See https://fedorahosted.org/fpc/ticket/219 .

objectweb-asm in byteman

bundled(objectweb-asm)

Due to the specific nature of how byteman works. See the ticket for details: https://fedorahosted.org/fpc/ticket/226 .

java_cup in byteman

bundled(java_cup)

Due to the specific nature of how byteman works. See the ticket for details: https://fedorahosted.org/fpc/ticket/226

Mersenne Twister 19937ar in anything

bundled(mt19937ar)

This algorithm (from http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html) is everywhere.

fx2lib in sigrok-firmware-fx2lafw

bundled(fx2lib)

8051 hardware bits, only useful in this firmware context, not packaged/used elsewhere.

JAXP and JAX-WS in openjdk

bundled(JAXP) and bundled(JAX-WS)

The openJDK code contains copies of JAXP and JAX-WS that occasionally go out of sync with their upstream versions. The upstream is the same for both revisions, and the openJDK code assumes/depends on the behavior of the bundled versions.

t4k_common's liblinebreak

bundled(liblinebreak)

t4k_common contains a forked copy of an older version of liblinebreak. This should be revisited when the t4k_common upstream is able to port their code to use the newer system copy of liblinebreak.

libraries in firefox and icecat

bundled(libtheora)
bundled(libvorbis)
bundled(libogg)
bundled(opus)
bundled(xulrunner)
bundled(expat)
bundled(graphite2)
bundled(ots)
bundled(hurfbuzz)
bundled(soundtouch)
bundled(snappy)
bundled(double-conversion)

firefox has an active security team tracking issues in their codebase. icecat is a fork of firefox that closely tracks firefox's changes. This should be periodically re-evaluated.

event library provided by the kernel

bundled(kernel-event-lib)

The kernel should be providing the library as a shared library in the Linux 3.15 time frame so applications should plan on unbundling for F23. https://fedorahosted.org/fpc/ticket/372

libtommath bundled in Heimdal

bundled(libtommath)

Heimdal bundles libtommath which is modified to reduce the risk of information leakage based upon computation timing attacks. Linking against OpenSSL is not thread-safe.

php-pecl-jsonc

bundled(libjson-c)

php-pecl-jsonc bundles libjson-c.

libev in rubygem-nio4r

bundled(libev)

Because the nio4r places have modified the bundled libev deeply to unlock the MRI "Global VM Lock". See the comments in the spec file for details.

jQuery bundled in rubygem-jquery-rails

bundled(js-jquery)

jquery-rails bundles specific versions of jQuery {1,2,3} and system versions might differ from time to time.

pip bundled in python34, python35, python36

bundled(python3-pip)

These are additional compat interpreters aimed only for testing code

setuptools bundled in python34, python35, python36

bundled(python3-setuptools)

These are additional compat interpreters aimed only for testing code

Bundled in WebKitGTK+ (webkitgtk4 package)

bundled(angle)

ANGLE does not have a stable API, is difficult to update, and the version used must match that expected by WebKit, so it would be very difficult to unbundle.

OpenSSL bundled in edk2

bundled(openssl)

Virtual machine firmware is compiled with a different ABI than the host (and in fact it might not even be running on the same architecture as the host---e.g. ARM firmware on x86).

  1. There are multiple md5 implementations. The ones that have an actual library (libnss, libgcrypt, openssl, libmd, etc) are not covered by this exception. The ones that are copied from other applications are.
  2. Change $IMPLEMENTATION depending on which implementation of md5 is being bundled. The ones known so far are Peter Deutsch's version: bundled(md5-deutsch), a C++ port of Peter Deutsch's version: bundled(md5-deutsch-c++), Colin Plumb's bundled(md5-plumb), Alexander Peslyak's bundled(md5-peslyak), Ulrich Drepper's code from gcc bundled(md5-gcc), A second implementation from Ulrich Drepper bundled(md5-drepper2), and John Polstra's bundled(md5-polstra).
  3. There are multiple sha1 implementations. The ones that have an actual library (libnss, libgcrypt, openssl, etc) are not covered by this case. The ones that are copied from other applications are.
  4. Change $IMPLEMENTATION depending on which implementation of sha1 is being bundled. Oneknown previously known was the Uwe Hollerbach-Peter C. Gutmann version (bundled(sha1-hollerbach)) that was found in older releases of apt-cacher-ng [1]
  5. The version for binutils provides should be the date that the binutils checkout was made
  6. The upstream explicitly intends for this library to be "vendored" and copied directly into any projects which use it. The Fedora Packaging Committee has a general feeling of distaste for this behavior.