On Mon, 2014-07-07 at 16:49 +0800, Ghislain Hachey wrote:
On 7/6/14, 16:57, Michael Tremer wrote:
That's what we call bundled packages (very often libraries) and which are extremely discouraged. The problem that comes with that is that when a component gets updated to resolve a certain issue this problem is still in the twenty other copies of the same software. Imagine that for things like Heartbleed. It also consumes space, increases the build time and so on.
You should use the provided versions of those tools and libraries or modify them if that is required. All other components that are missing should be created as individual packages.
Hey,
So I've got 4 new addons built and in the process noticed that apr and apr-util are both not included as separate packages. I think that httpd makes use of them but provides the sources bundled which seems to go against what you recommend above. Like for instance, in Debian apr and apr-util are both provided as modular separate packages. So this is what I did while playing around. I built two addons for both apr and apr-util because subversion also has those as dependencies. I then specified --with-apr and --with-apr-util to my newly added apr and apr-util packages when ./configure'ing subversion. It all builds nicely and I'm just waiting on my clean/build to test packages on my live IPFire box.
Are you sure that subversion needs apr at runtime? It certainly needs the library, but I think that everything that is needed by subversion at runtime should be in the core system already.
We had a subversion package which was dropped in 2008, because the IPFire project switched to git and there was no one who wanted to maintain subversion any more.
http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=a91ca65e82da80139f0e0...
Long story, but I'm curious about why apache makes used of bundled third party sources here, is this a special case that requires to go against what's encouraged?
APR is a part of apache. Some distributions simply create a subpackage for apr as it is usually not needed at runtime, just for development.
For the record, I don't believe that something like subversion belongs to a nice trimmed down firewall OS, but I needed it for quick checkout of sources on my box and thought it might be occasionally useful.
I would say we can include that as long as you are going to maintain the package.
The command line tools would certainly never hurt any one. Just make sure that mod_dav_svn is not loaded by apache by default and needs to be enabled in some way.
Regards,
-Michael