[erlang-questions] Using system's zlib

Paul Mineiro <>
Sat Jul 7 20:39:45 CEST 2007


Perhaps instead a patch to zlib is in order?

I envisioning a method that let's it take some function pointers to use
for memory allocation.  (BDB does that.)  Maybe the upstream maintainer of
zlib would go for that.

-- p

On Sat, 7 Jul 2007, Christian Faulhammer wrote:

> Gaspar Chilingarov <>:
>
> >   >> About patches -- it took me about 1-2 day to merge in new
> >   >> version of
> >  >> zlib to erlang sources :)
> >  >
> >  >  Still, are those patches very special or could upstream provide
> >  > your needed features?
> > Well, I've refreshed my knowledge about this :)
> > They only differ by memory allocation functions. Erlang version uses
> > internal [mc]alloc functions and not the system wide ones.
>
>  Gnah.  So no chance to have a configure switch --with-system-zlib?
>
> >  >  As I am maintainer of erlang in Gentoo Linux, I have a bug open
> >  > asking for using system's zlib, but that is not important to
> >  > you. :)
> > Well, I've tried to force it use freebsd's system library, but it
> > seems not that easy.
>
>  That's what I noticed, too.  And before I heavily patch everything I
> just went to ask upstream.
>
> >  >  Take it that there is a security flaw in zlib.  zlib in Gentoo is
> >  > updated, stabled and done.  Nobody thinks of erlang (or any other
> >  > package shipping a custom version of zlib instead of linking
> >  > against the system one), so we have a possibly vulnerable version
> >  > in the tree. Which is baaaaad.  Backporting patches from vanilla
> >  > zlib to erlang is just needless work in my eyes, and I have to be
> >  > aware of these fixes or even of an included library (there may be
> >  > more I don't know about).
> > Zlib core patches are really small -- about 5-10 lines of code, but
> > makefiles and etc are adopted from erlang's distribution and not
> > zlib's. So in practice one can patch zlib easily in case of any
> > errors. (In freebsd it's possible to have port's sources patched
> > after extract phase and before configure/make).
>
>  Gentoo is source based, and Portage is similar to ports...but I need
> to know about a vulnerability in zlib and then check erlang.  In my
> eyes double work if one could benefit from the zlib everyone uses.
>
> V-Li
>
> --
> http://www.gentoo.org/
> http://www.faulhammer.org/
> http://www.gnupg.org/
>

Ignorance of what is going on is no barrier to confidence.



More information about the erlang-questions mailing list