Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 247363 - dev-lang/squeak contains internal copies of jpeg, pcre, libmpeg3, libgsm and probably more
Summary: dev-lang/squeak contains internal copies of jpeg, pcre, libmpeg3, libgsm and ...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Luis Araujo (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: bundled-libs
  Show dependency tree
 
Reported: 2008-11-18 13:50 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2010-04-06 17:37 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-11-18 13:50:11 UTC
Just check these directories:

Squeak-3.10-1/platforms/Cross/plugins/JPEGReadWriter2Plugin
Squeak-3.10-1/platforms/Cross/plugins/Mpeg3Plugin/libmpeg
Squeak-3.10-1/platforms/Cross/plugins/RePlugin

I haven't checked the bundled versions for known vulnerabilities, but anyway something should be done.

Thanks,
Diego
Comment 1 Luis Araujo (RETIRED) gentoo-dev 2008-11-29 13:53:10 UTC
I don't follow, something like what?
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-11-29 14:04:54 UTC
Something like making it use system libraries instead.
Comment 3 Luis Araujo (RETIRED) gentoo-dev 2008-11-29 16:59:24 UTC
Squeak is a whole system, and these are their system libraries.
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-29 00:39:04 UTC
Squeak provides system bindings to libraries, but it should not use bundled libraries for that.
Comment 5 Luis Araujo (RETIRED) gentoo-dev 2008-12-29 01:34:45 UTC
It's how Squeak works. You should file a bug upstream.

I am closing this.
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-29 01:38:57 UTC
For sure it's not fixed.

And it's a breach of policy to use the bundled libraries unless there are very very good reasons to do so. "That's how upstream does it" it's rarely a good enough reason. Often enough upstream does so because they don't know better.
Comment 7 Luis Araujo (RETIRED) gentoo-dev 2008-12-29 02:12:59 UTC
There is no benefit , instead , bunch of issues to deal with and error prone situations using system libraries for this.

Squeak, as I said, it is a whole different system, and it requires special plugins, specifically written for it; seriously, there is no point of taking these libraries from system.

Either you come out with a sane and SAFE way of getting these plugins on the fly (which I still would consider adding) or stop re-opening this bug.
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-29 02:22:16 UTC
I'm not telling you to get rid of the plugins, but since I don't see much changes out of a quick look at the sources, I bet the plugins can be linked against the system copy of the libraries, and then squeak can load its plugins using those like we do for any other language (Perl, Python, PHP, Ruby, you name it).

As for "no benefit": GLSA 200701-05, GLSA 200508-17, and what about the future?

What makes Squeak so tremendously different from Perl, Python, PHP, Ruby, TCL, that it cannot use the system libraries for its bindings?

"is a whole system" does not really say much, since they are bindings, whether they come in a single huge package or not.
Comment 9 Luis Araujo (RETIRED) gentoo-dev 2008-12-29 02:43:37 UTC
Squeak is neither python, ruby, perl, or any other language out there .... Squeak is an Operating-System like language, that contains plenty of plugins maintained by the same Squeak community. Which means that when an user _installs_ Squeak, the user intends to use those plugins, the ones written by the Squeak community. I don't agree with Gentoo changing this situation, it is a very different situation than other language, where they intend to use any library from the host system.

So, please, drop this bug already since there is no benefit or point. This is pretty much something up to the Squeak community, I don't intend to re-write or fork Squeak or duplicate work here.
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2008-12-29 02:58:01 UTC
This has nothing to do with the plugins.  This has to do with squeak repackaging libraries that it should not be.  Please stop closing this as invalid since its completely valid.  Any package that we install should be using the system versions of the libraries, like libjpeg, libpcre, etc.  Thanks
Comment 11 Luis Araujo (RETIRED) gentoo-dev 2008-12-29 03:15:51 UTC
(In reply to comment #10)
> This has nothing to do with the plugins.  This has to do with squeak
> repackaging libraries that it should not be. 

Then complain with squeak. Stop re-opening this bug please.

Thanks,

Comment 12 Mark Loeser (RETIRED) gentoo-dev 2008-12-29 03:20:13 UTC
If we have to complain upstream, we will do so, but keep this open because the problem is NOT resolved.  Thanks
Comment 13 Luis Araujo (RETIRED) gentoo-dev 2008-12-29 03:32:23 UTC
I will keep this open if you want... but I thought upstream bugs were supposed to be filled to upstream and not here.
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-12-30 07:22:56 UTC
Just wanted to help araujo in followup on this.
He's going to open upstream bugs for the issues, and glancing at it myself, for jpeg+libgsm+pcre there don't look to be actual changes to the codebase, just the squeak authors making a complete mess of including the libraries nicely.

jpeg has two sets of new non-binding functions in new files, and aside from the jconfig.h and the binding files, the rest of the source is unmodified.
libgsm looks unmodified, but ALL of libgsm is in a single file: sqSoundCodecPluginBasicPrims.c with binding stuff on the end.
pcre - minor changes for binding only
libmpeg3 - heavy changes, doesn't match up against the main libmpeg3 upstream.

We also suspect that the squeak devs will probably ignore the report and never fix it to use external libraries, as they apparently mainly want users to use their binaries.

After arajuo has opened the upstream bugs, I'd like to strongly suggest this bug is just marked as RESO/UPSTREAM - the amount of fixing work to really solve it is decided non-trivial. There's not much we can do as Gentoo without getting our hands really dirty.
Comment 15 Samuli Suominen gentoo-dev 2010-03-03 08:18:07 UTC
@security: bundled jpeg is vuln. to GLSA 200606-11, do you want this hardmasked?
Comment 16 Samuli Suominen gentoo-dev 2010-03-03 08:23:52 UTC
(In reply to comment #15)
> @security: bundled jpeg is vuln. to GLSA 200606-11, do you want this
> hardmasked?
> 

pcre is vuln. to GLSA 200807-03 (verified the vuln. code is present in pcre.c)
Comment 17 Samuli Suominen gentoo-dev 2010-03-03 08:48:49 UTC
# Samuli Suominen <ssuominen@gentoo.org> (03 Mar 2010)
# Masked for QA, security
#
# Internal copies of vuln. libraries
# GLSA 200606-11, GLSA 200807-03 and likely more
#
# http://bugs.gentoo.org/show_bug.cgi?id=247363
#
# Removed in 60 days
dev-lang/squeak
Comment 18 Emmanuel Rosa 2010-03-06 19:16:22 UTC
Is Squeak VM being removed from Gentoo in 60 days or is it the hardmask that is being removed?
Comment 19 Samuli Suominen gentoo-dev 2010-04-06 17:37:19 UTC
And removed from tree.