[Debian-med-packaging] Debian package for vsearch

Andreas Tille andreas at an3as.eu
Fri Feb 20 10:03:24 UTC 2015

Hi Torbjørn,

On Fri, Feb 20, 2015 at 09:25:09AM +0000, Torbjørn Rognes wrote:
> > please write your Makefile such that it will simply use the existing
> > zlib or bzip2 libraries on the system. Bundling the zlib or bzip2 code
> > with your own code makes life more difficult from the packaging point of
> > view (we'll have to create a modified source package without those
> > libs).
> Hm. We were planning to do exactly what you do not recommend. But we might reconsider. We planned to include the source of zlib and bzip2 in the src directory and link their object files directly into vsearch. They seem quite stable.

I agree that these two libs are stable and very frequently used.
However, there are several good reasons not to link code copies
statically to your software.  One major reason are security
considerations.  This kind of libraries might serve as a welcome
intrusion vector even if you do not see this in the first place.  Just
assume vsearch might be used in some web app where users can upload some
compressed (fake) sequences which are delivered to vsearch possibly
containing an outdated / not fixed compression code featuring a
backdoor.  The sysadmin (be it on a Debian machine or not) feels safe
since he has updated the relevant system library but he is not.  This is
not an artifical example - I just had this in a perfectly comparable
example where upstream was delivering a copy of regexp[1].

> We have already included the code from Google CityHash (https://code.google.com/p/cityhash/).

... which is also not the best idea but I think in this case it is
somehow rectified since you can not assume that this library is
installed on recent computers (in contrast to zlib and bzip2).
> We think it would make life easier for those who compile and use vsearch, because then we can make sure that both of these libraries are part of vsearch and that they use the correct version of the libraries. In my experience the availability and version of these libraries vary a lot from system to system, and I had problems compiling vsearch without updating at least one of them.

In my opinion you are trying to work around a problem at users side by
creating new problems at other sides.  The correct solution for the
problem to make sure the right library version is used at build time is
to use tools like automake or cmake or similar tool which is capable to
verify the version of the used libraries.  I would not call myself a
skilled automake expert but we could try to create something for you
that fullfills the prupose of checking library versions and creates
according makefiles.
> Why do you have to remove these libs from the package if we include them?

Because code copies are evil. ;-)
(If you are not convinced my the one reason above I could try to
come up with more.)

Kind regards


[1] https://bugs.debian.org/778397


More information about the Debian-med-packaging mailing list