Red Hat Bugzilla – Bug 505636
spring contains copies of external libraries
Last modified: 2014-03-18 11:29:01 EDT
spring has an internal copy of 7zip that it compiles and staticlly links in. there is also copies of hpiutil2, minizip, streflop in the tree that are compiled also. there is a lua tree but it looks like its just used for headers. in all cases system versions should be used instead.
The lua-sources included are patched. They have single-precission floating point maths and use streflop. Using the system-lua libraries will make the game unplayable online.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.
More information and reason for this action is here:
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
(In reply to comment #1)
> The lua-sources included are patched. They have single-precission floating
> point maths and use streflop. Using the system-lua libraries will make the game
> unplayable online.
Before I close the bug was CANTFIX, can you post a link to an official document/thread/etc? Google didn't return anything meaningful.
Also note, this bug references multiple bundled libraries.
I'm fully aware of this policy, however, as I just taken over springs, and I want to find out if this is intended (read: spring uses patches version of said libraries) or can it be removed.
In post #1 it was claimed that it was intended.
intended or not doesn't matter. its not ok. they need to be either removed or an exception needs to be requested. Right now the package is not close to compliance and needs to be.
Given that the I've yet to ask upstream why they use static libs, this argument is mute. I'll contact upstream and I'll continue from there.
Gilboa, do you have any updates?
Gilboa, have you contacted upstream yet?
Upstream is discussion possible fixes to this issue.
Thus far, it seems that only minizip can be replaced by the Fedora built in version.
LUA is modified - but they are looking at ways at using normal upstream LUA.
As far as I can see, Fedora doesn't have the required md5 and 7z libraries.
Gilboa, thanks for the information. Any updates since then?
Sorry for the late reply.
I was busy trying to get spring working on F15 due to gcc46 issues.
Per subject at hand, I'll ping upstream if anything moved concerning the LUA changes.
As for md5 and 7z, any suggestions? Have I missed anything?
As far as I can see, short of breaking 7za and md5 libraries and getting them included into Fedora as actual packages (A dream, given my current severe time constraints) I'm forced to continue using the supplied libraries as is.
As for minizip, the version included is loosely related to version minizip used by Fedora making it far form ideal for replacement.
In short, I'll file a FPC track about it. As it stands, there's not much I could do about having static libraries inside spring - apart from making it completely incompatible with generic version. (Which will badly damage multi-player)
7z, Package p7zip. It's not a large package. Can they split out the package or use http://www.7-zip.org/download.html (7zip library)? Another alternative is https://code.google.com/p/lib7zip/ which is GPLv2.
md5: Package lua-md5
Given the nature of spring (multi-player game) I cannot make client side modification to the code without upstream concent as it may break multi-player gaming or worse, tag the player as a cheater.
Even small changes (like that ones required to compile spring on F15) were only introduced after a long discussion with upstream.
In the mean time, I tried finding a sample how to get file a FPC ticket for spring but found none, can anyone point me at the right direction?
Most (if not all) Fedora bodies that use a ticketing system are going to be using a trac instance on fedorahosted,org. In particular FESCO's is at:
You want an fpc exception so:
We have some standard questions that we'd ask here: https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Exceptions
Gilboa, have you filed the exception yet?
Sadly enough - no.
I'm partially AFK till the third week of May.
Did you file the exception yet?
Gilboa, have you had a chance to file the exception?
Sorry for being an idiot (or simply overworked :(), but for the life of me I can't seem to find a form that I have to fill to get the exception.
Do I edit the wiki? Do I send a mailing list message?
Go to https://fedorahosted.org/fpc/
Click New Ticket (upper right)
Toshio mentioned in Comment 19 that they ask standard questions following https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Exceptions:
" Has the library behaviour been modified? If so, how has it been modified? If the library has been modified in ways that change the API or behaviour then there may be a case for copying. Note that fixing bugs is not grounds to copy. If the library has not been modified (ie: it can be used verbatim in the distro) there's little chance of an exception.
Why haven't the changes been pushed to the upstream library? If no attempt has been made to push the changes upstream, we shouldn't be supporting people forking out of laziness.
Have the changes been proposed to the Fedora package maintainer for the library? In some cases it may make sense for our package to take the changes despite upstream not taking them (for instance, if upstream for the library is dead).
Could we make the forked version the canonical version within Fedora? For instance, if upstream for the library is dead, is the package we're working on that bundles willing to make their fork a library that others can link against?
Are the changes useful to consumers other than the bundling application? If so why aren't we proposing that the library be released as a fork of the upstream library?
Is upstream keeping the base library updated or are they continuously one or more versions behind the latest upstream release?
What is the attitude of upstream towards bundling? (Are they eager to remove the bundled version? are they engaged with the upstream for the library? Do they have a history of bundling? Are they argumentative?)
Overview of the security ramifications of bundling
Does the maintainer of the Fedora package of the library being bundled have any comments about this?
Is there a plan for unbundling the library at a later time? Include things like what features would need to be added to the upstream library, a timeline for when those features would be merged, how we're helping to meet those goals, etc.
Please include any relevant documentation -- mailing list links, bug reports for upstream or the bundled library, etc. "
An example is https://fedorahosted.org/fpc/ticket/100
Thanks. Working on it now.
From that ticket:
"In today's meeting we approved the exception for the forked lua bundling (+1:6, 0:0, -1:1), md5 bundling approved (+1:7, 0:0, -1:0).
The spring rts package must add:
Provides: bundled(lua) = X.Y.Z (where X.Y.Z is the base lua version) Provides: bundled(md5-$IMPLEMENTATION) (where $IMPLEMENTATION is the type of md5 implementation being used, see https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#cite_note-1
Remaining issues: * We hope that the lzma-sdk package will be able to be used in place of the bundled copy. If this is not plausible, we will revisit that bundling exception. * Streflop bundling decision postponed, pending research on packaging it. I'm going to try to package that for Fedora today
Perhaps gilboa (or the spring upstream) can figure out how to make spring check for the streflop libs/headers instead of just building the bundled copy."
Gilboa, can you check into this?
I'm waiting for upstream answer concerning lzma-sdk and streflop build-time detection. If OK by them, I'll patch the build-sys to use the Fedora copy until the next upstream release.
As for bundled(lua/md5), it'll be added to the next release.
84 was released with the required bundled(XXX) tags.
Solution to the remaining issues (lzma, streflop) requires upstream involvement.
bundled(md5-Aladdin) should be bundled(md5-deutsch) per http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
As far as I could verify, the md5 implementation spring is using is Aladdin's code. Why deutsch?
(In reply to Gilboa Davara from comment #32)
> As far as I could verify, the md5 implementation spring is using is
> Aladdin's code. Why deutsch?
http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#cite_note-1 does not list md5-Aladdin as a known one. The one in spring looks like md5-polstra though, not deutsch.