On 09/30/2009 10:43 AM, Michael Schroeder wrote: > On Wed, Sep 30, 2009 at 10:27:44AM -0700, Toshio Kuratomi wrote: >> So... that means the custom zlib isn't necessary to the proper operation >> of deltarpm, correct? I haven't looked at where in the code this is >> being used yet but I'm guessing this zlib is used when: >> >> 1) Reading the existing rpm -- this should work with vanilla zlib as well >> 2) Compressing the deltarpm -- this should work with vanilla zlib, just >> not be as kind to rsync. > > No, things are a bit different. Fedora's rpm used to have a > modified copy of zlib so that the created rpms were more rsync > friendly. As deltarpm needs to recreate the same compressed > payload I also had to support this. > <nod> -- So historically, this bundled library seemed like a good idea for the *same* reason as the rsync/zsync situation. You had the need to produce the same format with deltarpm as rpm did with its bundled and forked private zlib. Since neither the rpm maintainer nor you wanted to be responsible externally for the forked copy, you just bundled the same version of zlib as they did. At some point, rpm maintainers asserted sanity on their situation and began to build against the system zlib, discarding the rsync patch in favor of maintainability. deltarpm didn't catch on to that change so it continued to ship a forked copy. Eventually, the fork failed to update with the latest version of zlib and so it began to ship with a known vulnerability that had already been fixed in the main zlib package. And that's how we got to where we are today. > AFAIK the current rpm uses the system's zlib library, so the > deltarpm copy is also no longer needed for Fedora. > Interesting. That's slightly puzzling though. That would mean that deltarpm wasn't able to create the same compressed payload on Fedora where Fedora's rpm used the system zlib, correct? That would mean rpm-4.4.2.2, at least as far back as Fedora 10. Yet we were testing deltarpms for Fedora 10 and Fedora 11, correct? I'm building new deltarpm packages for F-10, F-11 now. F-12 and devel are built. I'm not sure what to do about EPEL -- EL-4's rpm is pre-rpm-4.4.2.2. EL-5's rpm starts off at rpm-4.4.2 but by the time we hit RHEL-5.4 we're past rpm-4.4.2.2 so it's okay. Also, the infrastructure builders are going to need to be updated. Since it appears we're only building deltarpms for the Fedora repos, I think it's safe to build that package with system zlib as well. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
