The D ecosystem in Debian with free-as-in-freedom DMD

Vladimir Panteleev via Digitalmars-d digitalmars-d at puremagic.com
Mon Apr 10 06:07:22 PDT 2017 

On Monday, 10 April 2017 at 12:59:37 UTC, Matthias Klumpp wrote:
>> Who came up with those policies and decided that they apply to 
>> D? Because I really don't think they should.
>
> They are the result of years of experience in building complex 
> systems and keeping them secure.
> If you have a dependency chain "X -> Y -> Z" (-> meaning 
> "depends on"), and you find a security bug in Z, you the 
> security team will just need to fix the bug in Z to resolve it 
> in the whole distribution.
> But if the code which has this issue is compiled into all of 
> the packages that depend on them, you will need to rebuild the 
> full dependency chain to actually fix the security issue, which 
> is not only time intensive but also a huge maintenance effort.
> In this simple example it doesn't look like much, but those 
> dependency chains can grow massively large and complicated, and 
> the only way to keep the large software stack maintainable and 
> secure is by splitting pieces cleanly.
>
> Embedded code copies are allowed in rare events, but in these 
> cases the security team needs to be aware of them.
> Sometimes, the licenses also explicitly prevent embedded code 
> copies.
>
> Aside from these issues, splitting things cleanly also makes 
> general package maintenance much easier, and adds flexibility 
> for our users who can mix and match parts of the distribution 
> as they like and combine them with their own code.

No, I understand all of this. What I'm saying that in the case of 
D, these rules, though making sense, will just not work. You 
can't replace a piece of code in a template instantiation in a 
compiled program, shared libraries and stable ABI or not.

> You need to see here that D is not the center of the world and 
> we will need to make it work nicely with the rest of the system.

The opposite is also true: requiring a stable shared library API 
of every packaged D library is just as unreasonable. In fact, to 
make these rules useful and applicable to all D programs, you'd 
have to completely forbid templates in the library's public 
interface, which would immediately exclude Phobos for one.

More information about the Digitalmars-d mailing list