Re: [Tracker] embedded code copy in tracker is problematic



Hi Michael,

On Tue, Mar 1, 2016 at 4:52 PM, Michael Biebl <mbiebl gmail com> wrote:
Hi everyone,

I just noticed that the new tracker 1.6.2 contains a code copy of
sqlite and no longer allows one to use the system sqlite library.
This is problematic for various reasons and distros like Debian [1]
and Fedora strongly discourage such code copies.

Would it be possible to re-add the ability to link against the system
sqlite and only fall back to the embedded copy if the system library
doesn't meet the requirements of tracker (and output a big fat warning
in this case)?

Not sure if you missed the action caused by sqlite 3.11. From that
version on, they've hidden by default a sql function that's
indispensable for us.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7036

Tracker itself is not hit by this cve, but we've evidently become
colateral damage since this is removed by default.

The embedded copy solution has only been done on current stable
releases (1.4 and 1.6). It's not one I'm too happy with. But it's
surely better than requiring -DSQLITE_ENABLE_FTS3_TOKENIZER
system-wide (partly why I just went for always using the embedded
copy, this is something distros don't want enabled). For master (and
upcoming 1.8), I've opted for using FTS5 (which doesn't have this
problem), and still rely on the system sqlite library.

I understand and share your concerns, but this is kind of a rough spot
we're on :).

Cheers,
  Carlos


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]