maria-developers team mailing list archive

[Reindl Harald <h.reindl@xxxxxxxxxxxxx>]

Am 16.11.2013 19:58, schrieb Alexander Barkov:
> Reindl,
> 
> On 11/16/2013 10:46 PM, Reindl Harald wrote:
>>
>> Am 16.11.2013 19:39, schrieb Alexander Barkov:
>>> I'm not sure why bundling PCRE with some our fixes should
>>> be confusing. We bundle many libraries with our own fixes.
>>> Before the 10.0.5 release we've bundled the Henry Spenser's regex library with our own modifications for many many
>>> years.
>>> No one was ever confused about that :)
>>> So why do you think it's confusing?
>>
>> it violates the concept of shared libraries and is *highly* disapproved by most
>> Linux distributions like Fedora which are doing a hard work downstream to
>> unbundle all this stuff which wastes a lot of energy all over the world
>>
>> https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
> 
> Thanks for the link. I have added it into the task description:
> https://mariadb.atlassian.net/browse/MDEV-5304
> 
> For now, we have to wait for PCRE-8.34 release anyway.
> Adding an option to compile against the external PCRE-8.33
> is not a good idea: any MariaDB user that have a valid
> user and password would be able to crash the server
> by sending a dangerous pattern to RLIKE. We can't do that

no proble, i have my own build-environments with no rules except
"it must work relieable" for servers i am responsible

I thought it would be good to point out the side effects and the Fedora
page is a great ressource in that context besides it is our favourite
distribution for several reasons

there are always pros and cons

* have all bundled - you *may* be sure somehow all is fine
* at the end of the day the "all" is relative

there may also be removed some hacks and workarounds in
other packages which are not bundled removed because the
distribution updated the upstream library and a package
behaves not as expected because a older version

the opposite may also happen, so you not really know all
possible combinations of libraries and side effects

i have a strong feeling that use as less as possible downstream
patches in whatever project and try to fix issues in involved
upstream packages is doing a favor for all involved people and
may save a lot fo time and pain over the years and if the goal
having no downstream patches what Fedora has more or less is
reached the result means like very high quality over the stack

that said from a "only user" in context of MariaDB but with
some years developer experience in other areas

Attachment: signature.asc
Description: OpenPGP digital signature