Axel Thimm wrote:
I wonder whether this is maybe overdesigned. AFAIU this signature hashing was made because ocaml is not considered stable enough to carry over signatures from release to release. Same could be told about hundreds of C libraries, wouldn't the neccessity in ocaml then imply a neccessity to hash C-library APIs as well? Maybe it's something we will consider to do someday, but the order would be to cater for C/C++/Fortran/etc libraries first and then for niche languages like ocaml. I think it's a bit too much, or did I miss something important (I'm not a real ocaml user, there is just this one application that even justifies ocaml's existance ;)
No, it's really necessary and has nothing to do with stability or otherwise of OCaml (which is a very mature language that has been around in one form or another since the mid 80s).
When OCaml compiles a library A, it takes a hash over the whole interface -- every single function, every argument to every function, and some of the internals, are just some of the things included in this hash.
When OCaml compiles library B which depends on library A, it encodes the hash of A into B.
Now we come to link a program against library B (and hence against library A). The hashes are checked and the linking will fail if, for example, the hash of A has changed since B was compiled.
C has only weak checking in comparison. Sure, you can change a library, but you'd better hope for example that some struct in that library didn't change the size of one of its fields. If it did your program will still link, but will fail in interesting ways at runtime.
OCaml's checking has the big downside, which is that it goes above and beyond what is necessary for just checking compatibility. For example, you can't add more functions to library A, even though such a change is probably safe. Nevertheless, RPM hashes are just enforcing what the OCaml linker enforces, and without them you'd be able to install incompatible OCaml RPMs which won't actually work together.
Rich. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
