← Back to team overview

kicad-developers team mailing list archive

Re: New Build Dependencies: Lemon + GTK3

 

> unfortunately that is a typical thing how problems are getting "solved",
>simply embed the required third party code. From a security perspective
>this is mostly a nightmare as also typically nobody ever touches such
>code again as it "works" for all times.
>Embedded code is quite in no way traceable and make the work of package
>maintainers and of the security teams within Linux distribution even
>more harder [1].

But this is also a nightmare.
1. The main issue is the tool is not a real independent tool, it is only
maintained within sqlite and everyone using it outside of that are "welcome
to" by sqlite but the global library that's available is quite out of scope
of the sqlite maintainers.
2. Which now leads to the scenario like Arch Linux has. There is no
official repo with lemon. Only a 5-years out of date user repo that is not
exactly helping with that security goal ;)

But yea, perhaps a configure switch will make this all happy?


On Mon, Aug 3, 2020 at 2:01 PM Carsten Schoenert <c.schoenert@xxxxxxxxxxx>
wrote:

> Hello Ian,
>
> Am 03.08.20 um 19:39 schrieb Ian McInerney:
> > I have now updated this so that we bundle the lemon parser code inside
> > thirdparty and build it for ourselves (it is only 1 main c file that was
> > released into the public domain). CMake then takes care of all the
> > pathing for the template and executable file for the targets. This
> > should work on all platforms now with no extra steps. It also means that
> > there is no need to install lemon on dev computers anymore.
>
> unfortunately that is a typical thing how problems are getting "solved",
> simply embed the required third party code. From a security perspective
> this is mostly a nightmare as also typically nobody ever touches such
> code again as it "works" for all times.
> Please try to avoid this when *ever* possible and look for alternatives.
> For package maintainers a good alternative is to make the use of the
> third party code optional. Means that a configure switch should be
> available to so on the Linux side we can use the package versions.
>
> Embedded code is quite in no way traceable and make the work of package
> maintainers and of the security teams within Linux distribution even
> more harder [1].
>
> So if not already the use of the lemon parser is configured in a way I
> can chose to use a packaged version please consider to do so. Thank you.
>
> [1] https://wiki.debian.org/EmbeddedCopies
>
> --
> Regards
> Carsten
>
> _______________________________________________
> Mailing list: https://launchpad.net/~kicad-developers
> Post to     : kicad-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~kicad-developers
> More help   : https://help.launchpad.net/ListHelp
>


-- 
Mark

Follow ups

References