Re: [Tracker] embedded code copy in tracker is problematic

From: Michael Biebl <mbiebl gmail com>
To: Carlos Garnacho <carlosg gnome org>
Cc: Tracker-List <tracker-list gnome org>
Subject: Re: [Tracker] embedded code copy in tracker is problematic
Date: Tue, 1 Mar 2016 18:48:39 +0100

2016-03-01 18:00 GMT+01:00 Carlos Garnacho <carlosg gnome org>:

Hi Michael,

On Tue, Mar 1, 2016 at 4:52 PM, Michael Biebl <mbiebl gmail com> wrote:

Hi everyone,

I just noticed that the new tracker 1.6.2 contains a code copy of
sqlite and no longer allows one to use the system sqlite library.
This is problematic for various reasons and distros like Debian [1]
and Fedora strongly discourage such code copies.

Would it be possible to re-add the ability to link against the system
sqlite and only fall back to the embedded copy if the system library
doesn't meet the requirements of tracker (and output a big fat warning
in this case)?


Not sure if you missed the action caused by sqlite 3.11. From that
version on, they've hidden by default a sql function that's
indispensable for us.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7036


Seems I missed that, indeed. Most likely because of:

sqlite3 (3.11.0-2) unstable; urgency=low

  * Compile with SQLITE_ENABLE_FTS3_TOKENIZER for backwards compatibility
    (closes: #815499).
  * Update Standards-Version to 3.9.7 .

 -- Laszlo Boszormenyi (GCS) <gcs debian org>  Tue, 23 Feb 2016 21:31:39 +0100

So this particular change was reverted in Debian.

Tracker itself is not hit by this cve, but we've evidently become
colateral damage since this is removed by default.

The embedded copy solution has only been done on current stable
releases (1.4 and 1.6). It's not one I'm too happy with. But it's
surely better than requiring -DSQLITE_ENABLE_FTS3_TOKENIZER
system-wide (partly why I just went for always using the embedded
copy, this is something distros don't want enabled). For master (and
upcoming 1.8), I've opted for using FTS5 (which doesn't have this
problem), and still rely on the system sqlite library.

I understand and share your concerns, but this is kind of a rough spot
we're on :).


Has there been any discussion with sqlite upstream to solve that
differently? I mean breaking consumers of the sqlite APIs can't be the
proper fix for that.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Follow-Ups:
- Re: [Tracker] embedded code copy in tracker is problematic
  - From: Carlos Garnacho

References:
- [Tracker] embedded code copy in tracker is problematic
  - From: Michael Biebl
- Re: [Tracker] embedded code copy in tracker is problematic
  - From: Carlos Garnacho

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]