kicad-developers team mailing list archive

Thread
Date

Re: New Build Dependencies: Lemon + GTK3

To: kicad-developers@xxxxxxxxxxxxxxxxxxx
From: Wayne Stambaugh <stambaughw@xxxxxxxxx>
Date: Mon, 3 Aug 2020 14:47:00 -0400
Autocrypt: addr=stambaughw@xxxxxxxxx; prefer-encrypt=mutual; keydata= mQGiBEM0hxQRBAC2fNh3YOVLu1d5GZ0SbrTNldGiGnCJPLqzEnqFX9v6jmf33TMt6EmSLkl6 Wtfkoj0nVwKxcYmJkA8DX0QAokBkwNIzhSsBzQvthBLIk/5LnPVVKrEXOcL4mUyH1doKlkaE slgJozNa6Av+oavcvD02o1zJOloBbaHlNlyRt7fKswCgtIFlVjWggVH/15KfWk+Qo5JVPbME AIUBAQyL2OAx0n60AWec2WHnO9buHuG0ibtICgUMkE+2MRmYyKwYRdyVwGoIUemFuOyHp0AJ InX4T+vy2E7vkwODqjtMLfIoRkokW74Fi4nrvjlhOAw/vdq/twLbAmR9MOfPTpR4y7kQy1O2 /n+RkkRvh26vTzfbQmrH7cBJhk6aA/9Uwvu3E4zNJgHVZeS0HyWtmR1eOPPRbnkPgJTToX5O KMKzTJI/FX6kT7cFoCamitHrW3BJP4Dx+cMMsa47EGxqVTdbVJ4LjogsXTXxb+0Fn1u4zBdx x3Cer6O7+hqWy7zvpzeC6nSREjqDKa5CgHtv/GLm5uFPOmsjAsnHj2tlBrQmV2F5bmUgU3Rh bWJhdWdoIDxzdGFtYmF1Z2h3QGdtYWlsLmNvbT6IeAQTEQIAOBYhBOffs6CbblRzBkv33BtR cWlZ+CReBQJbFBS2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBtRcWlZ+CReMI8A nRbrLkzp7+c2f0vX7sfg4ICX8LAKAJ9uClo4uJajmZa5zZrL2nKdZlUwIrkCDQRDNIcxEAgA gCru+3/aOC6RCjpvYC72wY+d5SmHphC6yeiV2/mOumyt5MLo/Ps2GznZr11JspqFk5K/Zpvp MMLqqjDZ39+50a2iKRQFJ6NlK+hJWMmj6eJygQrCwYo3Gjc6CqfrqUv+8VSnf/i5sIZmtOVA 4ZjML18MuBvMSsNdVLFJd5HNnYb1iOECpvqdPVh/21LLCEw7MUUGGnHBhCrmk2aJe5hFmcSN g4ldBcXrgMQBwf7aMVoobXBMFDb/IENByXn0llB7Gr2IFMRmNS9/p8s/II1Yl2bTqyX4FSz8 cfn7C9KEz7faZ7wzAcpwHFC/zs3JoAjJ0IEKdNUpIwAlKMzT3CzctwADBQf/cxpG28MKyrqk nNmq/8LQLy+x6FSYXBLjxQz9BiBNYeesDZQ6J5UbL1mjpJzMa5tLZypPYo4bbGyR22hrbyDF K7m6AcVaMIJKl98g4ukMutFfAJyRDaREH5Zl/X1P4u1Z/yaAIy9mKaNbaK1/5djNJ5wCTFen TUgAp9xdc30kGkFDdLJFp5uxDY4P0vaZiZdjUCvDM3Zjv5IzpNOfxVqTUBQNUP/BnnKhkk0p DTD6s3X8S+D0rOtEBQ8K0cwERI/E8EFa8nj0TNw4e2MYGR8wg+SxqJ7z5f0zPY0bO6G9DDFB wYCqzzPWGqdAh9vA5971TAbPERtdFybhkurozp2SfYhJBBgRAgAJBQJDNIcxAhsMAAoJEBtR cWlZ+CResHUAniULLCWiT26ieRTl7N2vS6vBo/DuAJ4m7Ss/gyiW6ybTn1ctDXAUgm2QVQ==
In-reply-to: <df45a255-5bb2-c08a-04de-44e9f8b587b8@gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0

On 8/3/20 2:42 PM, Steven A. Falco wrote:
> On 8/3/20 2:37 PM, Wayne Stambaugh wrote:
>> On 8/3/20 2:01 PM, Carsten Schoenert wrote:
>>> Hello Ian,
>>>
>>> Am 03.08.20 um 19:39 schrieb Ian McInerney:
>>>> I have now updated this so that we bundle the lemon parser code inside
>>>> thirdparty and build it for ourselves (it is only 1 main c file that
>>>> was released into the public domain). CMake then takes care of all the
>>>> pathing for the template and executable file for the targets. This
>>>> should work on all platforms now with no extra steps. It also means
>>>> that there is no need to install lemon on dev computers anymore.
>>>
>>> unfortunately that is a typical thing how problems are getting "solved",
>>> simply embed the required third party code. From a security perspective
>>> this is mostly a nightmare as also typically nobody ever touches such
>>> code again as it "works" for all times.
>>> Please try to avoid this when *ever* possible and look for alternatives.
>>> For package maintainers a good alternative is to make the use of the
>>> third party code optional. Means that a configure switch should be
>>> available to so on the Linux side we can use the package versions.
>>>
>>> Embedded code is quite in no way traceable and make the work of package
>>> maintainers and of the security teams within Linux distribution even
>>> more harder [1].
>>>
>>> So if not already the use of the lemon parser is configured in a way I
>>> can chose to use a packaged version please consider to do so. Thank you.
>>>
>>> [1] https://wiki.debian.org/EmbeddedCopies
>>>
>>
>> I could not have said it better myself.  We now have programmed
>> ourselves into a third party library maintenance issue.  In the future,
>> all new dependencies should be run by the lead development team for
>> discussion so we can plan how we want to handle them.
> 
> What is the resolution?  Do I undo the dependency on the lemon parser
> generator?  Or will there be a flag to select whether to generate or use
> the canned one?
> 
> I really don't like having this potentially work two different ways. 
> Then there could be bugs that only show up when using a newer lemon, or
> that show up when using the pregenerated code.  It is best to have
> exactly one way that this works.
> 
>     Steve
> 

Would the solution proposed in my last post be sufficient?

Follow ups

Re: New Build Dependencies: Lemon + GTK3
From: Steven A. Falco, 2020-08-03

References

New Build Dependencies: Lemon + GTK3
From: Ian McInerney, 2020-08-02
Re: New Build Dependencies: Lemon + GTK3
From: Adam Wolf, 2020-08-02
Re: New Build Dependencies: Lemon + GTK3
From: Ian McInerney, 2020-08-02
Re: New Build Dependencies: Lemon + GTK3
From: Roberto Fernández Bautista, 2020-08-02
Re: New Build Dependencies: Lemon + GTK3
From: Mark Roszko, 2020-08-02
Re: New Build Dependencies: Lemon + GTK3
From: Mark Roszko, 2020-08-02
Re: New Build Dependencies: Lemon + GTK3
From: Ian McInerney, 2020-08-03
Re: New Build Dependencies: Lemon + GTK3
From: Carsten Schoenert, 2020-08-03
Re: New Build Dependencies: Lemon + GTK3
From: Wayne Stambaugh, 2020-08-03
Re: New Build Dependencies: Lemon + GTK3
From: Steven A. Falco, 2020-08-03