kicad-developers team mailing list archive
-
kicad-developers team
-
Mailing list archive
-
Message #44327
Re: New Build Dependencies: Lemon + GTK3
-
To:
kicad-developers@xxxxxxxxxxxxxxxxxxx
-
From:
Wayne Stambaugh <stambaughw@xxxxxxxxx>
-
Date:
Mon, 3 Aug 2020 14:40:08 -0400
-
Autocrypt:
addr=stambaughw@xxxxxxxxx; prefer-encrypt=mutual; keydata= mQGiBEM0hxQRBAC2fNh3YOVLu1d5GZ0SbrTNldGiGnCJPLqzEnqFX9v6jmf33TMt6EmSLkl6 Wtfkoj0nVwKxcYmJkA8DX0QAokBkwNIzhSsBzQvthBLIk/5LnPVVKrEXOcL4mUyH1doKlkaE slgJozNa6Av+oavcvD02o1zJOloBbaHlNlyRt7fKswCgtIFlVjWggVH/15KfWk+Qo5JVPbME AIUBAQyL2OAx0n60AWec2WHnO9buHuG0ibtICgUMkE+2MRmYyKwYRdyVwGoIUemFuOyHp0AJ InX4T+vy2E7vkwODqjtMLfIoRkokW74Fi4nrvjlhOAw/vdq/twLbAmR9MOfPTpR4y7kQy1O2 /n+RkkRvh26vTzfbQmrH7cBJhk6aA/9Uwvu3E4zNJgHVZeS0HyWtmR1eOPPRbnkPgJTToX5O KMKzTJI/FX6kT7cFoCamitHrW3BJP4Dx+cMMsa47EGxqVTdbVJ4LjogsXTXxb+0Fn1u4zBdx x3Cer6O7+hqWy7zvpzeC6nSREjqDKa5CgHtv/GLm5uFPOmsjAsnHj2tlBrQmV2F5bmUgU3Rh bWJhdWdoIDxzdGFtYmF1Z2h3QGdtYWlsLmNvbT6IeAQTEQIAOBYhBOffs6CbblRzBkv33BtR cWlZ+CReBQJbFBS2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBtRcWlZ+CReMI8A nRbrLkzp7+c2f0vX7sfg4ICX8LAKAJ9uClo4uJajmZa5zZrL2nKdZlUwIrkCDQRDNIcxEAgA gCru+3/aOC6RCjpvYC72wY+d5SmHphC6yeiV2/mOumyt5MLo/Ps2GznZr11JspqFk5K/Zpvp MMLqqjDZ39+50a2iKRQFJ6NlK+hJWMmj6eJygQrCwYo3Gjc6CqfrqUv+8VSnf/i5sIZmtOVA 4ZjML18MuBvMSsNdVLFJd5HNnYb1iOECpvqdPVh/21LLCEw7MUUGGnHBhCrmk2aJe5hFmcSN g4ldBcXrgMQBwf7aMVoobXBMFDb/IENByXn0llB7Gr2IFMRmNS9/p8s/II1Yl2bTqyX4FSz8 cfn7C9KEz7faZ7wzAcpwHFC/zs3JoAjJ0IEKdNUpIwAlKMzT3CzctwADBQf/cxpG28MKyrqk nNmq/8LQLy+x6FSYXBLjxQz9BiBNYeesDZQ6J5UbL1mjpJzMa5tLZypPYo4bbGyR22hrbyDF K7m6AcVaMIJKl98g4ukMutFfAJyRDaREH5Zl/X1P4u1Z/yaAIy9mKaNbaK1/5djNJ5wCTFen TUgAp9xdc30kGkFDdLJFp5uxDY4P0vaZiZdjUCvDM3Zjv5IzpNOfxVqTUBQNUP/BnnKhkk0p DTD6s3X8S+D0rOtEBQ8K0cwERI/E8EFa8nj0TNw4e2MYGR8wg+SxqJ7z5f0zPY0bO6G9DDFB wYCqzzPWGqdAh9vA5971TAbPERtdFybhkurozp2SfYhJBBgRAgAJBQJDNIcxAhsMAAoJEBtR cWlZ+CResHUAniULLCWiT26ieRTl7N2vS6vBo/DuAJ4m7Ss/gyiW6ybTn1ctDXAUgm2QVQ==
-
In-reply-to:
<CAJjB1qKMPF0urJGKP77SszirHU6C_hg+oY0qVLfo=gqgpLOStQ@mail.gmail.com>
-
User-agent:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
On 8/3/20 2:19 PM, Mark Roszko wrote:
>> unfortunately that is a typical thing how problems are getting "solved",
>>simply embed the required third party code. From a security perspective
>>this is mostly a nightmare as also typically nobody ever touches such
>>code again as it "works" for all times.
>>Embedded code is quite in no way traceable and make the work of package
>>maintainers and of the security teams within Linux distribution even
>>more harder [1].
>
> But this is also a nightmare.
> 1. The main issue is the tool is not a real independent tool, it is only
> maintained within sqlite and everyone using it outside of that are
> "welcome to" by sqlite but the global library that's available is quite
> out of scope of the sqlite maintainers.
> 2. Which now leads to the scenario like Arch Linux has. There is no
> official repo with lemon. Only a 5-years out of date user repo that is
> not exactly helping with that security goal ;)
>
> But yea, perhaps a configure switch will make this all happy?
Why not use CMake to check to see if lemon is installed on the system
and only build for source when necessary?
>
>
> On Mon, Aug 3, 2020 at 2:01 PM Carsten Schoenert
> <c.schoenert@xxxxxxxxxxx <mailto:c.schoenert@xxxxxxxxxxx>> wrote:
>
> Hello Ian,
>
> Am 03.08.20 um 19:39 schrieb Ian McInerney:
> > I have now updated this so that we bundle the lemon parser code
> inside
> > thirdparty and build it for ourselves (it is only 1 main c file
> that was
> > released into the public domain). CMake then takes care of all the
> > pathing for the template and executable file for the targets. This
> > should work on all platforms now with no extra steps. It also
> means that
> > there is no need to install lemon on dev computers anymore.
>
> unfortunately that is a typical thing how problems are getting
> "solved",
> simply embed the required third party code. From a security perspective
> this is mostly a nightmare as also typically nobody ever touches such
> code again as it "works" for all times.
> Please try to avoid this when *ever* possible and look for
> alternatives.
> For package maintainers a good alternative is to make the use of the
> third party code optional. Means that a configure switch should be
> available to so on the Linux side we can use the package versions.
>
> Embedded code is quite in no way traceable and make the work of package
> maintainers and of the security teams within Linux distribution even
> more harder [1].
>
> So if not already the use of the lemon parser is configured in a way I
> can chose to use a packaged version please consider to do so. Thank you.
>
> [1] https://wiki.debian.org/EmbeddedCopies
>
> --
> Regards
> Carsten
>
> _______________________________________________
> Mailing list: https://launchpad.net/~kicad-developers
> Post to : kicad-developers@xxxxxxxxxxxxxxxxxxx
> <mailto:kicad-developers@xxxxxxxxxxxxxxxxxxx>
> Unsubscribe : https://launchpad.net/~kicad-developers
> More help : https://help.launchpad.net/ListHelp
>
>
>
> --
> Mark
>
> _______________________________________________
> Mailing list: https://launchpad.net/~kicad-developers
> Post to : kicad-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~kicad-developers
> More help : https://help.launchpad.net/ListHelp
>
References