= Proposal topic =
Allow Racket, a Scheme-based language and programming environment, to bundle several libraries that upstream developers think are essential
= Overview =
The Racket language and programming environment, previously PLT Scheme, ships with a lot of bundled libraries. We already have PLT Scheme in our repository, and unfortunately it violates our "no bundling" policy in very significant ways.
The essential bundled libraries: Provides: bundled(libffi) = 3.0.10rc0 # the bundled GMP is a mix of versions 3 and 4 Provides: bundled(gmp) = 3.99 Provides: bundled(lightning) = 1.2 Provides: bundled(libunwind) = 0.99.0
Additionally, racket provides two garbage collectors: a modified version of Boehm GC, and their own garbage collector. While the proposed racket packaging use only the latter, the current plt-scheme packaging uses the Boehm GC on ppc64.
I'm perfectly happy to just drop support for architectures where the new GC does not work, if we decide not to allow Boehm GC to be bundled.
One of the included extension modules, 'plot', also contains some bundled libraries -- gd, png, zlib, etc. There is currently a security bug open against plt-scheme because it's also affected by the gd security flaw from 2009; current maintainer has yet to respond (he's not been seen for more than a year; I've just initiated the first step of the non-responsive maintainer process). I'm currently excising it from the racket package until it could be fixed properly.
= Problem space =
The current plt-scheme packaging violates the "no bundling" policy in major ways, and is significantly out of date. We should decide whether the bundling (both for core functionality, and for add-ons such as the plot module) should be allowed.
= Solution Overview = If bundling is allowed, get the racket review completed ASAP and make it obsolete the current plt-scheme on all supported Fedora releases.
If not, do a quick fix on plt-scheme, removing the buggy plot module, and retire it in Rawhide before F-15 branches so that we limit the rot to F-14 and below.
= Active Ingredients =
PLT Scheme -> Racket rename request https://bugzilla.redhat.com/show_bug.cgi?id=652083
PLT Scheme's gd vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=647242
= Owners =
Michel Alexandre Salim FAS: salimma / IRC: hircus
:-(. You've done a lot of good work here in identifying all of the bundled libraries. Unfortunately, there's a lot more work to be done before we can figure out what should be done. FPC has compiled a list of standard questions that should be answered to give a clearer picture of how to proceed: https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Standard_questions Those questions would need to be answered for all of the libraries (Some of the questions might be global to every library that's being bundled, for instance, upstream's attitude towards continued bundling). If you want to test the waters, pick a few of the things you feel are the worst offenders for an initial analysis and if we feel that those can be granted exceptions you can then submit the rest. When you've done that, set the Meeting trac keyword and we'll take a look.
I agree 100% about the plt-scheme package problem. If you don't hear back from the maintainer, please put taking over ownership of the plt-scheme package back onto fesco's radar so that we can quick-fix and block that from rawhide/F-15.
ping?
It has been nearly a year since our original request for information. Could we please get an update here?
FPC, regardless of whether we get that information, it appears that the plt-scheme package was never investigated. I do not know if the issue was fixed in the past year, but it bears investigation
plt-scheme is not buildable in F-15, and is orphaned in F-14 and deprecated in F-15 and devel: https://admin.fedoraproject.org/pkgdb/acls/name/plt-scheme; it is, however, still available on F-14. Until we have a replacement Racket package, is there any way to resolve this? e.g. maybe it'd be a good idea to have a 'package-obsoleted' empty package that obsoletes and virt-provides the packages we want removed from a particular distribution release.
An upstream developer was asking about the packaging status a few weeks ago on the previous maintainer's proposed rename request; I've forwarded the standard questions:
https://bugzilla.redhat.com/show_bug.cgi?id=676124
Please update this ticket regarding its continued relevance, providing any information requested. If this is not done within the next two weeks, this ticket may be closed due to inactivity. Thank you!
This ticket is being closed due to inactivity. If the issue referenced has not been resolved, please reopen the ticket and provide the information requested. Thank you!
Login to comment on this ticket.