renamed GMP symbols in GHC

Joachim Breitner nomeata at debian.org
Wed Jan 4 17:50:32 CET 2012 

Dear Michal,

Am Mittwoch, den 04.01.2012, 16:33 +0000 schrieb Michal Konečný:
> On Wednesday 04 January 2012 12:31:23 Joachim Breitner wrote:
> > I guess this means me... Indeed Debian has the policy to avoid modified
> > bundled libraries, if somehow possible. For example, we patch the build
> > system to use the system-provided libffi.
> 
> I am curious about the precise definition of "bundled libraries". It
> can be arranged that the GMP source is modified at GHC build time, so
> the _source_ package contains the original unmodified tar of GMP
> (except without documentation).  Nevertheless, the _binary_ GHC
> package will contain integer-gmp library files that contain a binary
> copy of GMP whose symbols have been renamed.  Does this count as a
> "modified bundled library"?  (I am guessing yes.)
> 
> If such binary bundling is not permissible, would it ok to have a
> separate Debian package called eg libghcgmp3c2 which is equal to
> libgmp3c2 except the exported symbols are renamed as expected by a new
> integer-gmp and the files are suitably renamed to avoid any conflict
> with libgmp3c2?

both would be no better than having a modified copy in the ghc tarball.
This is not a formal requirement but rather a guideline with a rationale
that code should be shared, not copied. The most prominent reason is
security fixes: If code is copied and a security hole is found, the
security team needs to hunt down all copies. With a single shared
library, this is not a problem (zlib has been repeatedly a “good”
example of this problem).

Now you might argue that gmp will never be the source of security
problems (although I woudn’t be too convinced about that). But even then
regular bug fixes and arch-specific fixes (which were required once for
s390) in the main gmp library would not reach GHC automatically.

The guideline is in place in Debian also because we think it is the
right thing to do, even if sometime more work, for a better and
healthier ecosystem.

So in conclusion: If you just cannot use the regular GMP library, then
just copy it and live with the bad effects. You do not have to put
effort in to make it look “nicer” (such as putting it in a separate
library package). But preferably, try hard to avoid this issue, also for
your own benefit.

BTW, Is there a way to get the linker to create two independent copies
of a library in one program space? Maybe if it is compiled as PIC
(random name dropping here)? That would seem to be an elegant solution,
as it makes the distro packers happy and you would not have to maintain
a code copy.

> On Wednesday 04 January 2012 12:21:13 Simon Marlow wrote:
> > GMP is inherently broken because it 
> > has global state, so if you want two use it from two clients in the same 
> > program, you need two copies of it.
> 
> If this could be fixed that would be fantastic.  Nevertheless, I am currently
> unaware of how hard this might be to persue, technically or politically.
> (My gut feeling is that it is not straightforward.)

Someone (I know, not a helpful way to start a sentence :-)) should ask
upstream before we make guesses.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.haskell.org/pipermail/glasgow-haskell-users/attachments/20120104/6e8ee78d/attachment.pgp>

More information about the Glasgow-haskell-users mailing list