From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BD61B138334 for ; Thu, 19 Dec 2019 08:31:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 75921E0935; Thu, 19 Dec 2019 08:31:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1CD1EE08D9 for ; Thu, 19 Dec 2019 08:31:41 +0000 (UTC) Received: from pomiot (c142-245.icpnet.pl [85.221.142.245]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 3433334D467; Thu, 19 Dec 2019 08:31:40 +0000 (UTC) Message-ID: Subject: Re: [gentoo-dev] Needs ideas: Upcoming circular dependency: expat <> CMake From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org, Sebastian Pipping Date: Thu, 19 Dec 2019 09:31:34 +0100 In-Reply-To: <20191218235822.5b036cf2@sf> References: <1a722f8f-36b5-c313-b6e1-eac75e0839c5@gentoo.org> <85c9df6f-fcf5-61d7-90af-a375f5c75088@gentoo.org> <20191218235822.5b036cf2@sf> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-k0olK/aNZjGOuokpzJzK" User-Agent: Evolution 3.32.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 294a25b6-b37b-4bf8-ab2e-908f60a8d8cf X-Archives-Hash: 5fcea3550d4024753f0bf2716d75d3be --=-k0olK/aNZjGOuokpzJzK Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2019-12-18 at 23:58 +0000, Sergei Trofimovich wrote: > On Wed, 18 Dec 2019 22:02:47 +0100 > Sebastian Pipping wrote: >=20 > > Hi all, > >=20 > >=20 > > I noticed that dev-util/cmake depends on dev-libs/expat and that > > libexpat upstream (where I'm involved) is in the process of > > dropping GNU Autotools altogether in favor of CMake in the near future, > > potentially the next release (without any known target release date). > >=20 > > CMake bundles a (previously outdated and vulnerable) copy of expat so > > I'm not sure if re-activating that bundle =E2=80=94 say with a new use = flag > > "system-expat" =E2=80=94 would be a good thing to resort to for breakin= g the > > cycle, with regard to security in particular. > >=20 > > Do you have any ideas how to avoid a bad circular dependency issue for > > our users in the future? Are you aware of similar problems and > > solutions from the past? >=20 > Some other distributions provide two packages to break the cycle. > Example Gentoo solution would be: "cmake.ebuild" depends on "expat.ebuild= ", > "expat.ebuild" depends on "cmake-with-bundled-expat.ebuild". >=20 I actually think this is the cleanest solution of all. To be more specific, create dev-util/cmake-bootstrap that either includes bundled dependencies (let's not forget about jsoncpp here) and installs into some dedicated prefix (e.g. /usr/lib/cmake-bootstrap). Then you'd have expat and jsoncpp would BDEPEND: || ( dev-util/cmake-bootstrap dev-util/cmake ) and the ebuild would do something like, roughly: has_version -b dev-util/cmake || local -x PATH=3D${BROOT}/usr/lib/cmake-bootstrap/bin:${PATH} Since we don't need blockers there, Portage should be able to resolve the depgraph peacefully and pull both packages in gracefully. You wouldn't have to do anything else in further revdeps. The bootstrap package would be safely isolated from the other revdeps, and it would be depcleaned once other packages pull in regular cmake. I can make a proof-of-concept based on jsoncpp if you like. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-k0olK/aNZjGOuokpzJzK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAl37NWdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM3 NkE4NDUwOTQwOThEMjhDQzhCMjZDNTYzOUFEQUUyMzI5RTI0MEUACgkQY5ra4jKe JA5ZVQf/W4XvutrO0TigoJ4YG2mC8ko5Jzlmm1wVzQx4hmX2vkN3rDKcF/3/cm00 q2Fgex8jkfEIifucvmA7Xb/f0R6jPvKai/ZuzAFoOHcxHneU3L3XSQtVSolJwj73 Hjv404KuYs0n6Mwq7MaFu+FX+qNDq4TENTwe6+cVOyOkWMeT5RH6hK/Rsq5MKJOI 8iQzEqc13ouCsKJZAdBzdC4mllKx2+hsYzXvJURNV99qXl1fOrPtt/96kEdcwozZ FtQkP4KN2UylIGskIh1AXc0Xuw/MWYDIuuID3FELdRqDvyv44cCLe4Yr0DFx8XKV pElry9YsgvS+EY1urDHQUwQ3Pplw8w== =HQkx -----END PGP SIGNATURE----- --=-k0olK/aNZjGOuokpzJzK--