Applications and bundled libraries

Does the shipping of these 'forks' also mean they have to be loaded in
memory twice? And if all apps would do that, would that increase the memory
load of an average system? Any idea how much, if so?

I don't care much about diskspace or bandwith, but memory is a different
matter...

Are you keeping a detailed accounting of individual patches such that its easy to see which patches have been submitted to upstream and then whether each patch has been rejected/approved?

Can things be engineered such that functionality from rejected/yet-to-be-approved patches to upstream can be disabled cleanly in rebuilds? You've alluded that his is the case for nss can that also be the case for sqlite and others where there is an active upstream?

For libjingle.. if the upstream project is verifiably dead... why doesn't google spin up their libjingle as a separate project for distributors to pull releases from.

-jef

(Disclaimer: Also a Google employee, although I don't work on Chrome).

As much griping as goes on about Google's forks and patches I generally
find their approach to be responsible and practical. The focus is on
getting something working well, even if that means patching and bundling
system libraries, followed by pushing those patches upstream and
unbundling, if possible. Or, occasionally, becoming upstream.

For open source projects, it's usually not an issue. You publish the
source of your application. You publish patches to or patched versions of
the necessary dependencies. Packagers/maintainers then have the option of:

1) Updating to the upstream version that has your patches
2) Patching the shipped version
3) Bundling the library with the application (in some manner)

Yes, it's a little extra work for the repository maintainer, but not much.
It's also a (very) little extra work for the application developer to make
sure they can be built and linked against the system version of the
library. As a former Fedora maintainer, I've had to resort to some version
of that several times. Including coordinating with the maintainers of
dependent packages. Of course, Ubuntu has kind of shot themselves in the
foot on this issue with the LTS stuff, but that's (kind of) beside the
point.

Now, for closed source apps, the burden is on the application developer
and, frankly, I don't want them trying to use the more change-prone system
libraries. Bundle. Install into /opt/<application> and go away. That's
all they usually do anyway.

I'm not entirely up to speed on the Firefox/Mozilla situation, but the last
time I checked at least part of the problem was distributions packaging
mostly-internal unstable libraries as "system" libraries and then linking
other packages against them. Oh, and failing to understand/use ELF
versioning. Most distributions are perfectly capable of having multiple
versions of libraries installed and linked appropriately, provided the
library authors follow the .so versioning rules.

>Having said that we do have a number of forks. Here's an unrepresentative selection of them covering some of the reasons:
>
>libevent: need new version for bugfixes
>icu: we need a more recent version than was even provided on Karmic.
>[and so on]

So what? If $distro ships libevent2-1.4.9 for example, there are two choices:
1. you need libevent.so.2-1.4.10: fine, make it a dependency of chromium and let the distro update their libevent2.
2. you need libevent.so.3-1.5.0: fine, make it a dependency of chromium and let the distro add a package libevent3.

sqlite: if upstream is not interested, rename it, and let the distro have a sqlite-google package created (this also requires that you make it use a different SONAME than the pristine sqlite), or, if it's API-compatible, have the distro replace the original sqlite/import your patch.

Does the Chromium build system use system libraries if they are new enough?
If the autoconf (or whatever build system chromium uses) could do a version
check on the system library at build time this might reduce the pain
somewhat.

One of the reasons I run a source based distro is so I can run with recent
libs on my system which is handy as a developer.

Of course this would involve keeping careful track of the divergence of
patches between the bundled libs and upstream. I'm guessing this is a wider
problem in free software that needs a decent solution.

> libevent: we needed bug fixes and we needed to be able to run on systems
>which didn't have them.

Simple, abort build saying libevent x.y.z is needed, distributors will
figure it out.

>icu: we need a more recent version than was even provided on Karmic.

Same here.

>libjingle: upstream appears to be unmaintained.

Huh, what about asking your own company to support its own code ?

> sqlite: we added full-text indexing (now upstream) and several
>performance improvements which are rather specific to our use case. We
>don't want to do without them and upstream aren't too interested.

Contact distributors and ask them to add your patches to the system
libraries.

Doesn't debian update iceweasel as well?

It sounds like the only thing you're really getting from using the official binary is the branding.

Frankly, the centralized control does anything but hurt developers and
users. It might make developers' lives slightly more difficult by requiring
them to actually think about deployment instead of wrapping up their
/usr/lib and pushing it out in one friggin' huge binary, but the end result
is a *better* experience for users as they get regular bug fixes, security
updates and (hopefully) tested upstream changes rather than whatever "fixes"
the application developers thought expedient to cobble together so they
could get the app out the door.

And it's not like the distros are iron-fisted dictators. All of the major
ones do development in the open and are generally welcoming of input,
patches, etc.

> The big advantage is app developer control. Imagine being able to update
> your customers/users application without being dependent on N different
> distributions somewhat random selection of software, it also avoids "Oh to
> get our next update, you need to update your distro" which is completely
> unacceptible from an administration point of view.

Giving developers more power is almost never what you want to do. You want to give power to the users and system administrators.

Some system administrators are conservative. They just don't want to apply any patches except security updates. They might use RHEL 5 or something like this. They ought to be able to follow this policy without interference from developers.

If developers have to add an #ifdef somewhere in the code to make this happen, it's a small price to pay for stability and security.

> Distro's tend to want monolithic control over everything, even if it
> potentially hurts users and developers. The problem with security updates
> wouldn't be the distro's responsibility if they didn't have control every
> bit of software on your computer.

Users shouldn't have to manually update every piece of software on their computer. If it weren't the distro's responsibility, security would fall on to the users and system administrators-- another burden.

Microsoft would love to have a single update button that you could press to update all the software on your Windows PC. They've made that a reality for all the software they directly control. But they can't do it for third party software.

> The big advantage is app developer control. Imagine being able to update
> your customers/users napplication without being dependent on N different
> distributions somewhat random selection of software, it also avoids "Oh to > get our next update, you need to update your distro" which is
> completely unacceptible from an administration point of view.

First of all, this is the job of the system packager, not the app dev. Second of all, major distros have package dependencies with automatic resolution these days. I know on my system it is 'yum update firefox'. Why is it better to have a dedicated application installer pulling in /usr/local/lib/libpng.so and having the dependency resolver pull in an update to libpng?

If LSB needs funding to work, I will _never_ work. That may very well explain why it has been largely ignored. Another approach is needed.

Maybe what we need is a scaled down start, attacking the worst actual problems first, and ignoring collateral -and irrelevant- issues like which package format is to be used.

Last week I tried to rely on LSB 3.0 and it didn't work.
Maybe I did it wrong or I had wrong expectations.

So, I have a binary software built on SUSE 10 (SLES). Somewhere I found
that SUSE 10 is LSB 3.0 compatible.
So is RHEL 4/Centos 4, according to some webpage.
So I expected that the software built on SUSE 10 would also run on Centos
4. It didn't, it was expecting a symbol not present on Centos 4.

That symbol came from libstdc++, something in std::string, and it was
referenced by log4cplus. So I actually expected that log4cplus wouldn't
compile on Centos4, since there that symbol was missing, but it compiled
nevertheless successfully.

What was the reason ?
std::string has a lot of inline-functions, which call more or less
internal functions of libstdc++. Since they are inline, these calls to
internal functions end up in the resulting binary, instead of being
hidden in the binary libstdc++.

So what to do if you want to ship a binary application ?
Not sure. Link statically against libstdc++ ? Not too easy, as the web
told me.
Ship with a copy of libstdc++.so which works ? I tried, it seems to work.
But I'm not sure whether this doesn't have any other issues.

Use some other STL implementation, like STLport or stdcxx from Apache ?
Maybe, haven't tried yet.

Alex

That would be even worse, both in terms of memory consumption and in terms
of security patching.

Because, bundling is all about developer (individual and corporate) expedience, nothing more, nothing less.

All other options like
1) Getting fixes upstream
2) Changing the name of forked libraries
3) Linking staticly
all require more work on the part of the developer, so they skip out on doing it and just bundle mystery versions with their product and push the headache down to the distributors/users.

I wouldn't go quite that far. There are times when static linking is appropriate, but it can very definitely be misused.

You can consider whatever is in the LSB as "standard library".

Alternatively, consider any library that comes with the package management system as "standard library" :-)

Now, check what libraries Firefox bundles in its installation for Windows (those are not system libraries)

Static linking has the same disadvantages as bundling own libraries, with
the addition that you can't easily see which apps bundle which libraries,
making e.g. security support that much harder.

I like this.

Going even further, most people actually need only the same small fraction of these 25K packages. So it would be nice to make this centralized repository much more modular, because every apt-XXX invocation is F.... dead slow on any low-end machine.

Oh come on!

You really think that 25.000 applications can replace millions? No they can't.

First of all, if you look really closely, those aren't 25.000 applications. They're 25.000 *packages* - including libraries (who cares about those?), documentation, meta packages, maybe even development versions of packages (sources).

Secondly, you're forgetting about statistics and evolution. More variation and competition means there's a greater chance of success. Only a small percentage of applications are any good.

Thirdly, for each niche there are many design decisions. Out of 10.000 crappy applications for a certain niche, you'll have 100 decent applications, 10 really good ones, and 3 great ones, each having a different design philosophy (therefore you can't replace great application A with B or C).

Should I write my own "custom" application for everything that doesn't fit that tight collection of 25.000 "applications"? (answer: no, on Windows you find a tool already made for 99% of regular desktop activities)

Whilst I am a huge fan of 'the Debian way' of central package management, it really isn't true to say that the current (large) pile covers most areas. There are big gaps in no doubt many areas; I've recently noticed them in two: energy monitoring/control and building design. There are an awful lot of handy Windows apps for things like calculating beam loadings in buildings, and many more for specifying vendor's products like hot water tanks and ventilation equipment. Very few of those are free software, but they probably could be and either they all need adding to the distro repositories or we need a more modular mechanism for installing developer/vendor-supplied apps. I believe autopackage is intended to fill that role but it hasn't been very popular so far (possibly because the internals are pretty ugly). I mention it because no-one else has so far - maybe something like that is worth more effort.

On the energy monitoring front there are plenty of things like mango, diyzoning, owfs and temploggerd whcih are basic apps for this stuff but none are in Debian yet (or weren't last time I looked). No doubt they will be at some point but until then anyone wanting to use them has an installation problem. I tried local building but found this to be very hard indeed for the two java-based apps there when targeting an arm box. Obviously that wasn't something the developers had tried.

I do agree with those who say that developers should not be doing packaging and system integration. They are not well-placed to understand the issue of less-common architectures, complex system interactions and really have better things to be doing with their time.

I am inclined to agree that a bit more modularisation of distro repositories would be a good thing. Ubuntu's model of 'core stuff', 'common stuff' and 'everything else' is a step in this direction. Debian's monlithic tools are becoming stretched, especially on small systems (where the package management overhead can amount to 40% of the rootfs storage requirement). I'm not sure there are 'millions' of applications, but there are many tens of thousands and dealing with that efficiently is a challenge.

One other thing which I don't think has been said loudly enough in this debate is that users really do value stability. The central repository model does provide a lot more of that than the 'install random stuff off the net' model. It really is worth something, and whilst they also value being able to install 'latest' of a few apps there is a real potential tradeoff there which needs to be managed somehow. The users I deal with are _much_ more interested in having a stable system than they are in the latest and greatest. They only upgrade apps when they find they need to for some significant feature. Making that easy and reliable _and discoverable_ for them is where we have much room for improvement.

I find that the Debian backports model works pretty well for this, and could be greatly extended to provide a much larger chunk of the new stuff users want. However it is not a particularly discoverable mechanism - not helped at all by the way many users are used to the Windows model of 'just click here to install this stuff'. There is a significant element of user education to get them to stop and think for a mo and see if what they want is already in the packaging system, or would be if they/it added a suitable repo. Most software websites don't help at all with this, as they encourage the Windows model and rarely mention the 'distro' model.

So, it's a thorny issue, and I agree there is room for improvement, but I also feel that the good part of what we have is very valuable, to everybody, including naive users on laptops, even if they don't really appreciate it. Make it easier to go outside that model by all means, when necessary, but try hard not to just make thing unreliable and/or insecure as a result.

Not really, it seems extremely unlikely that they actually get the code ordered the same way
and aligned at the same point within a page.