Re: [HACKERS] Linking libpq statically to libssl - Mailing list pgsql-hackers
| From | Stephen Frost |
|---|---|
| Subject | Re: [HACKERS] Linking libpq statically to libssl |
| Date | |
| Msg-id | 20171030180703.GH4628@tamriel.snowman.net Whole thread Raw |
| In response to | Re: [HACKERS] Linking libpq statically to libssl (Daniele Varrazzo <daniele.varrazzo@gmail.com>) |
| List | pgsql-hackers |
Daniele, * Daniele Varrazzo (daniele.varrazzo@gmail.com) wrote: > On Fri, Oct 27, 2017 at 2:37 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Daniele Varrazzo <daniele.varrazzo@gmail.com> writes: > >> I have a problem building binary packages for psycopg2. Binary > >> packages ship with their own copies of libpq and libssl; however if > >> another python package links to libssl the library will be imported > >> twice with conflicting symbols, likely resulting in a segfault (see > >> https://github.com/psycopg/psycopg2/issues/543). This happens e.g. if > >> a python script both connects to postgres and opens an https resource. > > > > Basically, you're doing it wrong. Shipping your own copy of libssl, > > rather than depending on whatever packaging the platform provides, > > is just asking for pain --- and not only of this sort. You're also > > now on the hook to update your package whenever libssl fixes a bug > > or a security vulnerability, which happens depressingly often. > > > > The same applies to libpq, really. You don't want to be in the > > business of shipping bits that you are not the originator of. > > > > When I worked at Red Hat, there was an ironclad policy against > > building packages that incorporated other packages statically. > > I would imagine that other distros have similar policies for > > similar reasons. Just because you *can* ignore those policies > > doesn't mean you *should*. > > Distros do compile the library from source and against the system > package, and everyone using the package directly can still do so; the > binary packages are only installed by the Python package manager. Which, frankly, is why everyone having their own package manager that ignores the OS package manager is actually rather horrible. Obviously, it's done extensively, but it's outright horrible. > Psycopg is more complex to install than the average Python package (it > needs python and postgres dev files, pg_config available somewhere > etc) and a no-dependencies package provides a much smoother > experience. It also happens that the libpq and libssl versions used > tend to be more up-to-date than the system one (people can already use > the new libpq 10 features without waiting for debian packages). Having randomly different versions of libraries installed through two different package managers on the same system is not an improvement for users. Further, it's not like there aren't already properly built PG10 packages- they were there from the day PG10 was released, and users can install them using the OS package manager and against the OS provided version of all the various libraries. > I am confronted with the reality of Python developers as of 201x's, > and shipping binary packages has proven generally a positive feature, > even factoring in the need of shipping updated binary packages when > the need arises. The benefit of a simple-to-use library is for the > Postgres project at large, it is not for my personal gain. So while I > know the shortcomings of binary packages and static libraries, I would > still be interested in knowing the best way to fix the problem in the > subject. Feel free to write in private if you want to avoid the public > shaming. The way to fix the problem is to not use two different versions of the same library in the same binary, which you aren't going to be able to accomplish when you're forcibly pulling in a different version through your own binary package. At best you could try to use symbol versioning to try and differentiate your symbols from those of the system one, but that would depend on if the system level library is doing symbol versioning or not and then you'd still have to figure out what to do when the OS level package updates and possibly ends up with symbols *and* versions conflicting. Of course, these issues are generally (or should be) handled already by the OS level library package managers and it's no simple thing to do, but it's how things like multiple libdb versions can be available and even linked into the same running binaries and things still work there. Basically, if you can't control both versions you're just setting yourself (and our users) up for failure, if not now then in the future. In short, figure out how to have a completely different OS that's only provided through your package manager, or get along with the packages and versions as provided through the OS system (or provide your own updated versions of the OS packages and get them installed that matches what your packages are built against). Thanks! Stephen
pgsql-hackers by date: