Bug 505636 - spring contains copies of external libraries
spring contains copies of external libraries
Product: Fedora
Classification: Fedora
Component: spring (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Gilboa Davara
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks: DuplicSysLibsTracker
  Show dependency treegraph
Reported: 2009-06-12 13:14 EDT by Dennis Gilmore
Modified: 2014-03-18 11:29 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dennis Gilmore 2009-06-12 13:14:20 EDT
spring has an internal copy of 7zip that it compiles and staticlly links in. there is also copies of hpiutil2, minizip, streflop in the tree that are compiled also. there is a lua tree but it looks like its just used for headers. in all cases system versions should be used instead.
Comment 1 k-r.ernst 2009-07-06 05:14:06 EDT
The lua-sources included are patched. They have single-precission floating point maths and use streflop. Using the system-lua libraries will make the game unplayable online.
Comment 2 Bug Zapper 2009-11-16 05:10:31 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 3 Fedora Admin XMLRPC Client 2010-12-14 09:00:19 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Gilboa Davara 2010-12-14 12:02:33 EST
(In reply to comment #1)
> The lua-sources included are patched. They have single-precission floating
> point maths and use streflop. Using the system-lua libraries will make the game
> unplayable online.

Before I close the bug was CANTFIX, can you post a link to an official document/thread/etc? Google didn't return anything meaningful.

- Gilboa
Comment 6 Toshio Ernie Kuratomi 2010-12-15 01:20:40 EST
Also note, this bug references multiple bundled libraries.
Comment 7 Gilboa Davara 2010-12-16 02:18:25 EST

I'm fully aware of this policy, however, as I just taken over springs, and I want to find out if this is intended (read: spring uses patches version of said libraries) or can it be removed.

In post #1 it was claimed that it was intended.

- Gilboa
Comment 8 Dennis Gilmore 2010-12-16 11:34:45 EST
intended or not doesn't matter.  its not ok.  they need to be either removed or an exception needs to be requested. Right now the package is not close to compliance and needs to be.
Comment 9 Gilboa Davara 2010-12-16 11:47:50 EST
Given that the I've yet to ask upstream why they use static libs, this argument is mute. I'll contact upstream and I'll continue from there.

- Gilboa
Comment 10 Thom Carlin 2011-02-18 18:10:09 EST
Gilboa, do you have any updates?
Comment 11 Thom Carlin 2011-02-22 12:32:29 EST
Gilboa, have you contacted upstream yet?
Comment 12 Gilboa Davara 2011-02-22 14:55:04 EST
Yes. [1]
Upstream is discussion possible fixes to this issue.
Thus far, it seems that only minizip can be replaced by the Fedora built in version.
LUA is modified - but they are looking at ways at using normal upstream LUA.
As far as I can see, Fedora doesn't have the required md5 and 7z libraries.

- Gilboa
[1] http://springrts.com/phpbb/viewtopic.php?f=12&t=24813&sid=0de5194304e7a97a6bdfb8530d3549ef
Comment 13 Thom Carlin 2011-03-14 15:35:52 EDT
Gilboa, thanks for the information.  Any updates since then?
Comment 14 Gilboa Davara 2011-04-02 07:23:17 EDT

Sorry for the late reply.
I was busy trying to get spring working on F15 due to gcc46 issues.
Per subject at hand, I'll ping upstream if anything moved concerning the LUA changes.

As for md5 and 7z, any suggestions? Have I missed anything? 
As far as I can see, short of breaking 7za and md5 libraries and getting them included into Fedora as actual packages (A dream, given my current severe time constraints) I'm forced to continue using the supplied libraries as is.

- Gilboa
Comment 15 Gilboa Davara 2011-04-02 09:10:35 EDT
As for minizip, the version included is loosely related to version minizip used by Fedora making it far form ideal for replacement.

In short, I'll file a FPC track about it. As it stands, there's not much I could do about having static libraries inside spring - apart from making it completely incompatible with generic version. (Which will badly damage multi-player)

- Gilboa
Comment 16 Thom Carlin 2011-04-02 09:30:01 EDT
Possible candidates:
7z, Package p7zip.  It's not a large package.  Can they split out the package or use http://www.7-zip.org/download.html (7zip library)?  Another alternative is https://code.google.com/p/lib7zip/ which is GPLv2.
md5: Package lua-md5
Comment 17 Gilboa Davara 2011-04-11 03:31:14 EDT

Given the nature of spring (multi-player game) I cannot make client side modification to the code without upstream concent as it may break multi-player gaming or worse, tag the player as a cheater.
Even small changes (like that ones required to compile spring on F15) were only introduced after a long discussion with upstream.

In the mean time, I tried finding a sample how to get file a FPC ticket for spring but found none, can anyone point me at the right direction?

- Gilboa
Comment 18 Bruno Wolff III 2011-04-11 08:28:22 EDT
Most (if not all) Fedora bodies that use a ticketing system are going to be using a trac instance on fedorahosted,org. In particular FESCO's is at:
Comment 19 Toshio Ernie Kuratomi 2011-04-11 15:59:30 EDT
You want an fpc exception so:


We have some standard questions that we'd ask here: https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Exceptions
Comment 20 Thom Carlin 2011-04-26 07:24:06 EDT
Gilboa, have you filed the exception yet?
Comment 21 Gilboa Davara 2011-05-01 16:46:05 EDT
Sadly enough - no.
I'm partially AFK till the third week of May.
Comment 22 Thom Carlin 2011-07-31 20:06:51 EDT
Did you file the exception yet?
Comment 23 Thom Carlin 2011-08-16 08:41:36 EDT
Gilboa, have you had a chance to file the exception?
Comment 24 Gilboa Davara 2011-08-17 14:21:29 EDT
Sorry for being an idiot (or simply overworked :(), but for the life of me I can't seem to find a form that I have to fill to get the exception.
Do I edit the wiki? Do I send a mailing list message?

Comment 25 Thom Carlin 2011-08-18 05:25:07 EDT
Go to https://fedorahosted.org/fpc/
Click New Ticket (upper right)

Toshio mentioned in Comment 19 that they ask standard questions following https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Exceptions:
"    Has the library behaviour been modified? If so, how has it been modified? If the library has been modified in ways that change the API or behaviour then there may be a case for copying. Note that fixing bugs is not grounds to copy. If the library has not been modified (ie: it can be used verbatim in the distro) there's little chance of an exception.
        Why haven't the changes been pushed to the upstream library? If no attempt has been made to push the changes upstream, we shouldn't be supporting people forking out of laziness.
        Have the changes been proposed to the Fedora package maintainer for the library? In some cases it may make sense for our package to take the changes despite upstream not taking them (for instance, if upstream for the library is dead). 
    Could we make the forked version the canonical version within Fedora? For instance, if upstream for the library is dead, is the package we're working on that bundles willing to make their fork a library that others can link against?
    Are the changes useful to consumers other than the bundling application? If so why aren't we proposing that the library be released as a fork of the upstream library?
    Is upstream keeping the base library updated or are they continuously one or more versions behind the latest upstream release?
    What is the attitude of upstream towards bundling? (Are they eager to remove the bundled version? are they engaged with the upstream for the library? Do they have a history of bundling? Are they argumentative?)
    Overview of the security ramifications of bundling
    Does the maintainer of the Fedora package of the library being bundled have any comments about this?
    Is there a plan for unbundling the library at a later time? Include things like what features would need to be added to the upstream library, a timeline for when those features would be merged, how we're helping to meet those goals, etc.
    Please include any relevant documentation -- mailing list links, bug reports for upstream or the bundled library, etc. "

An example is https://fedorahosted.org/fpc/ticket/100
Comment 26 Gilboa Davara 2011-08-31 03:32:23 EDT
Thanks. Working on it now.

- Gilboa
Comment 27 Gilboa Davara 2011-08-31 07:55:43 EDT
Comment 28 Thom Carlin 2011-10-01 06:14:22 EDT
From that ticket: 
"In today's meeting we approved the exception for the forked lua bundling (+1:6, 0:0, -1:1), md5 bundling approved (+1:7, 0:0, -1:0).

The spring rts package must add:

Provides: bundled(lua) = X.Y.Z (where X.Y.Z is the base lua version) Provides: bundled(md5-$IMPLEMENTATION) (where $IMPLEMENTATION is the type of md5 implementation being used, see https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#cite_note-1

Remaining issues: * We hope that the lzma-sdk package will be able to be used in place of the bundled copy. If this is not plausible, we will revisit that bundling exception. * Streflop bundling decision postponed, pending research on packaging it. I'm going to try to package that for Fedora today
FYI: http://spot.fedorapeople.org/streflop-0.3-1.fc15.src.rpm

Perhaps gilboa (or the spring upstream) can figure out how to make spring check for the streflop libs/headers instead of just building the bundled copy."

Gilboa, can you check into this?
Comment 29 Gilboa Davara 2011-10-10 23:20:56 EDT
Hi Thom,

I'm waiting for upstream answer concerning lzma-sdk and streflop build-time detection. If OK by them, I'll patch the build-sys to use the Fedora copy until the next upstream release.
As for bundled(lua/md5), it'll be added to the next release.

- Gilboa
Comment 30 Gilboa Davara 2011-12-05 07:17:18 EST
Short update.
84 was released with the required bundled(XXX) tags.
Solution to the remaining issues (lzma, streflop) requires upstream involvement.

- Gilboa
Comment 31 Ville Skyttä 2012-05-28 15:50:20 EDT
bundled(md5-Aladdin) should be bundled(md5-deutsch) per http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
Comment 32 Gilboa Davara 2012-06-10 01:51:43 EDT
As far as I could verify, the md5 implementation spring is using is Aladdin's code. Why deutsch?

- Gilboa
Comment 33 Ville Skyttä 2014-03-18 11:29:01 EDT
(In reply to Gilboa Davara from comment #32)
> As far as I could verify, the md5 implementation spring is using is
> Aladdin's code. Why deutsch?

http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#cite_note-1 does not list md5-Aladdin as a known one. The one in spring looks like md5-polstra though, not deutsch.

Note You need to log in before you can comment on or make changes to this bug.