Uniting to get upstreams to use system libraries

[Toshio Kuratomi]

One of the basic guidelines we have in Fedora is that a package should
not link against a local copy of a library.  Instead libraries should be
included in the system and applications should link against that.[1]_

This is a lesson we learned from experience with C applications linking
against their own copies of libraries which later had security issues.
Hunting down all instances of these libraries and fixing each of them
individually is a losing proposition.

There are other reasons as well.  For instance, applications that
include their own copies of libraries are often tempted to apply their
own bugfixes and feature enhancements to the library.  That makes it
harder to port the application to new versions of the library and runs
counter to the open source philosophy of helping to improve the library
for everyone.

In the world of C applications and libraries, we don't often run into
this problem anymore.  Most C application developers have learned the
same lessons we have.  However, in the java, mono/.net, and web
application worlds, this is a common practice.  Sometimes our packagers
find themselves trying to convince upstream to change what they do
without success -- upstream is convinced that they need to include these
local copies.

I'd like to know if other distributions also consider separating
libraries from applications to be a best practice.  If so, would you be
willing to collaborate on getting upstreams to see our point of view?
Things we can do are to write down our justifications for doing this,
letting upstream know that it isn't just one distribution that feels
this way, offering to help upstreams code alternatives, offering to help
forward port applications to new versions of libraries, and getting best
practice recommendations changed to reflect this (for instance, this
recommendation is made on the Mono site:
http://www.mono-project.com/Assemblies_and_the_GAC#Libraries_with_Unstable_APIs
)

.. _[1]: there's actually several guidelines that deal with different
aspects of this:
 * The main guideline states that applications must not ship private
versions of system libraries:
http://fedoraproject.org/wiki/Packaging/Guidelines#Duplication_of_system_libraries

 * This guideline notes that static linking is only allowed in
exceptional circumstances:
http://fedoraproject.org/wiki/Packaging/Guidelines#Staticly_Linking_Executables

 * This guideline specifies that prebuilt libraries are not allowed.
This often comes up in tandem with these problems as upstreams often
ship prebuilt java jars, mono assemblies, or python eggs of their
dependent libraries either with or in lieu of the library's source.
http://fedoraproject.org/wiki/Packaging/Guidelines#No_inclusion_of_pre-built_binaries_or_libraries

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.freedesktop.org/archives/distributions/attachments/20080918/c27c0726/attachment.pgp