[erlang-questions] Using system's zlib
Sat Jul 7 20:39:45 CEST 2007
Perhaps instead a patch to zlib is in order?
I envisioning a method that let's it take some function pointers to use
for memory allocation. (BDB does that.) Maybe the upstream maintainer of
zlib would go for that.
On Sat, 7 Jul 2007, Christian Faulhammer wrote:
> Gaspar Chilingarov <nm@REDACTED>:
> > >> About patches -- it took me about 1-2 day to merge in new
> > >> version of
> > >> zlib to erlang sources :)
> > >
> > > Still, are those patches very special or could upstream provide
> > > your needed features?
> > Well, I've refreshed my knowledge about this :)
> > They only differ by memory allocation functions. Erlang version uses
> > internal [mc]alloc functions and not the system wide ones.
> Gnah. So no chance to have a configure switch --with-system-zlib?
> > > As I am maintainer of erlang in Gentoo Linux, I have a bug open
> > > asking for using system's zlib, but that is not important to
> > > you. :)
> > Well, I've tried to force it use freebsd's system library, but it
> > seems not that easy.
> That's what I noticed, too. And before I heavily patch everything I
> just went to ask upstream.
> > > Take it that there is a security flaw in zlib. zlib in Gentoo is
> > > updated, stabled and done. Nobody thinks of erlang (or any other
> > > package shipping a custom version of zlib instead of linking
> > > against the system one), so we have a possibly vulnerable version
> > > in the tree. Which is baaaaad. Backporting patches from vanilla
> > > zlib to erlang is just needless work in my eyes, and I have to be
> > > aware of these fixes or even of an included library (there may be
> > > more I don't know about).
> > Zlib core patches are really small -- about 5-10 lines of code, but
> > makefiles and etc are adopted from erlang's distribution and not
> > zlib's. So in practice one can patch zlib easily in case of any
> > errors. (In freebsd it's possible to have port's sources patched
> > after extract phase and before configure/make).
> Gentoo is source based, and Portage is similar to ports...but I need
> to know about a vulnerability in zlib and then check erlang. In my
> eyes double work if one could benefit from the zlib everyone uses.
Ignorance of what is going on is no barrier to confidence.
More information about the erlang-questions