|
Boost : |
From: Alexander Grund (alexander.grund_at_[hidden])
Date: 2024-05-02 06:58:53
Vinnie Falco via Boost:
> The more sustainable solution I think is to require that users are able to
> incorporate third party libraries into their build scripts. This is made
> easier with package managers of course, and now there are enough solutions
> that we do not need to be treating users like infants incapable of putting
> together a non-trivial program.
Nigel via Boost:
> Our specific requirement is to statically link_our_ preferred version of
> zlib built from_our_ pristine (and possibly patched) repo.
> [...]
> But, building and linking a boost-bundled zlib would be pretty close to
> that, and pretty workable in terms of bringing our patches on top.
I have a strong background in building software for HPC systemsfrom
source with some software using recipes (similar to Docker files).
A major pain point are libraries who keep bundling well known libraries
in their builds, or even worse: Downloading them during configure/build
steps. Especially when the version they use is a patched variant of some
upstream source.
This leads to a) duplication of libraries on the system and b)
complications using different libraries together as the dependencies may
conflict with each other -> ODR violations and similar.
Hence we (the community behind the "build software") spend considerable
effort in making such software use the already installed (sometimes
called "system") libraries.
So bundling something like zlib with Boost not only increases the
maintenance cost of Boost as now it would be our responsibilityto make
sure all security patches are applied (at the same time security patches
to the system or otherwise installed libraries are not included until a
new Boost release) but also may lead to subtile failures in consumers.
For use cases like using a specific version of some specific library in
an environment where compatibility between libs is otherwise handled it
is nowadays trivial to get the source of that library as most are
available on e.g. GitHub using version tags. In fact that is how it is
done on those HPC systems: Sources get downloaded from known, fixed
locations and verified against checksums to ensure reproducibility and
authenticity.
Alex
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk