On Thu, Jun 9, 2016 at 5:41 AM, Alexander Berntsen <berna...@gentoo.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 08/06/16 16:53, Rich Freeman wrote: >> Do you propose that you can have cross-repo dependencies? > Sure. This works well in Exherbo using Paludis. We could do it right now > if we wanted to. > >> If so that creates a lot of potential issues, even if you do it >> the NixOS way. > You should tell Exherbo and NixOS about all these issues that they > should be having but aren't having. >
Perhaps you could explain how they actually prevent the issues I brought up? Since you didn't actually quote them I'll do so: Suppose you have 10 packages, and they each depend on zlib from a different repository? If they collide, that is one problem to solve. If they don't collide then you have 10 copies of zlib now, and good luck making sure they're all secure, and of course now you're multiplying the number of "shared" objects you keep in RAM. How is this prevented in your proposal? Do we just accept that the typical user might have multiple copies of a library installed, with no guarantees that they're free of security issues? Keep in mind that this isn't the sort of issue that might be obvious to an end user. The average windows user probably has 14 versions of many common DLLs installed all from random sources and probably has a bunch of random ones with security issues (including zlib). The software all works, because the versions don't collide and the user doesn't realize that they are wasting RAM and are vulnerable. So, it would be pretty easy to say that the windows approach "just works." Maybe they have found some way to prevent issues like these, but the conversation would move forward if this were actually explained, rather than just dismissing concerns. -- Rich
