kicad-developers team mailing list archive

[Kevin Lannen <kevin.lannen@xxxxxxxxx>]

On Mon, Aug 3, 2020 at 12:19 PM Mark Roszko <mark.roszko@xxxxxxxxx> wrote:

> > unfortunately that is a typical thing how problems are getting "solved",
> >simply embed the required third party code. From a security perspective
> >this is mostly a nightmare as also typically nobody ever touches such
> >code again as it "works" for all times.
> >Embedded code is quite in no way traceable and make the work of package
> >maintainers and of the security teams within Linux distribution even
> >more harder [1].
>
> But this is also a nightmare.
> 1. The main issue is the tool is not a real independent tool, it is only
> maintained within sqlite and everyone using it outside of that are "welcome
> to" by sqlite but the global library that's available is quite out of scope
> of the sqlite maintainers.
> 2. Which now leads to the scenario like Arch Linux has. There is no
> official repo with lemon. Only a 5-years out of date user repo that is not
> exactly helping with that security goal ;)
>
> But yea, perhaps a configure switch will make this all happy?
>
>
I know there has been quite a bit of focus on using VCPKG as a package
manager on Windows but this sort of problem seems to me like it would be
better solved with a tool like Conan. https://conan.io/

Conan would allow us to publish a package that can be built and consumed on
any platform since it is cross platform. This would allow any platform to
use it easily and would not require putting the source into KiCad.

I have used Conan on several previous projects and it gives a very nice
experience since building on all platforms is the same process to build and
install dependencies.

Regards,

Kevin