r8350 - in trunk/BOOK: . introduction/welcome postlfs/security

Agathoklis D. Hatzimanikas a.hatzim at gmail.com
Wed Mar 24 00:15:49 PDT 2010


On Tue, Mar 23, at 07:59 Randy McMurchy wrote:
> Agathoklis D. Hatzimanikas wrote these words on 03/23/10 13:25 CST:
> > On Tue, Mar 23, at 11:49 Randy McMurchy wrote:
> >> -    <para><option>--with-included-libtasn1</option>: This option forces
> >> +    <!-- There is no need to add this switch. Why would anyone not want to
> >> +         use the system-installed copy instead of the mini-tasn included
> >> +         inthe gnutls sources?
> > 
> > 
> > Can you please check if libtasn1 is a required dependency or not?
> > I'm not in a position to verify it, but if it's required, then with that change
> > the libtasn1 should be moved to the required dependencies.
> 
> Libtans1 is not a required dependency as there is a minitasn1
> (terminology from the GnuTLS package maintainers) packaged into the
> GnuTLS sources which will automatically stand in if you don't have the
> real libtans1 libraries installed.
> 
> My point is that I would think that using the more-maintained libtasn1
> packaged library, versus the minitasn1 library packaged in the GnuTSL
> sources, is a better solution. Why would we want to provide a message
> to the readers to do something that sort of contradicts the strategy
> that using external libraries is preferred?
>
> The merits and costs of using external libraries versus the same
> library packaged with sources is a subject that is complex and deep
> and probably beyond the scope of this topic.
> 
> But essentially I removed a "suggestion" ("command explanations")
> that said "Don't use your external libraries, use the ones packaged
> with GnuTLS". All users probably issue ./configure --help
> and look at available options. I just thought that our putting it
> in the "command explanations" section somewhat encourages using it,
> which I think is a bad suggestion.

Current GnuTLS (2.6.6) ships with libtasn1 (2.3), while the current
libtasn1 is (2.5). So it looks like a bad suggestion (if you take out
the fact that the current maintainer of GnuTLS is the same author of
libtasn1).

But I agree: we don't really want to encourage people to use old 
libraries versions (unless there is a reason).
But in that case, we have to make clear to the reader, that if doesn't
install first the libtasn1 package (which now is an optional dependency),
it will link GnuTLS against an old libtasn1 library (the one that comes
with the distribution), because technically is a required dependency.

I'm terrible in the implementations, but perhaps a small sentence
(regarding this issue) in the dependencies section might be more than
enough.

Regards,
Agathoklis



More information about the blfs-book mailing list