Hey Dmitry, On Sun, Jan 19, 2014 at 10:34 PM, Dmitry Smirnov <only...@debian.org> wrote: > Hi Scott, > > Thanks for the relevant links to the discussion that I wasn't aware of. > > On Thu, 9 Jan 2014 10:02:37 Scott Howard wrote: >> If you disagree, I'd be interested in hearing why. > > Mostly my decision is based on our policy. I'm convinced that > discouraging linking to private libraries is one of the best practices > that we have in Debian. No only it benefit security but also it helps > to maintain coherent up-to-date distribution, encourage communication > and cooperation between maintainers as well as compartmentalise > development without unnecessary duplication.
I totally agree re: discouraging linking to private libraries as one of the best practices in Debian. I spent a weekend, not too long ago, pulling libtiff out of freeimage. I agree that long term, bitcoin should use system libraries. I think upstream's (and my own personal) opinion is that bitcoin protocol and network isn't evolved enough for widespread stable releases using system libraries. For example, see the current MtGox controversy where their implementation and the satoshi implementation is clashing (there are no standards) [1]. That has nothing to do with system libraries, but it illustrates the fact that even the experts are having trouble understanding and predicting the effects of changes to network implementation. > I'd be interested to know if there are any additional steps to ensure > its proper functioning. I asked this of upstream too, at one point, and the response was that there is nothing to ensure proper functioning yet. They can't make tests for problems they don't know will come up because of changes to things outside of their control (including modification of the reference client, per [1]). The do know that such problems may be catastrophic to the network (any loss of faith in the network can cause the loss of billions of dollars). In my opinion, the risk does not outweigh the reward - but as the network standardizes (note: there is no bitcoin protocol specification: the satoshi reference client *is* the protocol specification) and things such as blockchain self-healing is studied and understood better. I think, at this point, the whole bitcoin experiment is still fragile and is under rapid development, I believe building with embedded libraries will help nurture the experiment (and is one of the reasons it should not be in testing yet). At some point, bitcoin will be mature enough to walk on its own - and we can do the normal debian things: build with system libraries, migrate to testing, updates to backports/jessie-updates, etc. At some point we should move to system libraries and help bitcoin developers with the appropriate tests and mechanisms so they can trust system libraries as well. I don't think we are at that point yet. When we reach that point, we also will probably have safe enough packages for inclusion in Debian and Ubuntu. ~Scott [1] http://www.reddit.com/r/Bitcoin/comments/1x93tf/some_irc_chatter_about_what_is_going_on_at_mtgox/cf99yac -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
