What to do with xar

[dmacks]

Fink has xar-1.5.2, which is from 2007. Upstream (googlecode) has since been forked (github) and the googlecode project set to archive status around the 1.5.3 release. The github project's last release is 1.6.1 from 5 years ago. Apple now supplies xar also, calling it "1.6dev" in 10.9, "1.7dev" in 10.10, and "1.8dev" in 10.11 and beyond. All three of these vendors have a libxar.1.dylib, but none of their latest releases are ABI-compatible with each other (I'm not even sure apple's all are). And only Apple's 1.8dev library is immune to a recent CVE. I think there's value in continuing to roll our own package, for security on older platforms and ABI sanity on all, so we need a new package-names for the library (shlibs policy vs libxar1-shlibs/-dev). Should we bump the version value in install_name (libxar.2.dylib) and call the package libxar2-shlibs/-dev? Or bury the .dylib in a subdir and call the package libxar1-apple-shlibs/-dev? Or some other option?

[nieder]

Problem with changing install_name is if upstream (or maintained fork) ever makes a change. However, on 10.11, only xar uses libxar1-shlibs.

[dmacks]

No reverse-depends on the lib (other than xar itself) in 10.13 either.

[dmacks]

For the record:

• http://xar.googlecode.com/ (now 404)
• https://github.com/mackyle/xar
• https://github.com/apple-oss-distributions/xar

[nieder]

If we're trying to provide newer xar to older systems, then we should use apple-oss-distributions. Simplest w/out locking us out of a possible future SONAME change is to stash the latest library into a private dir. The executable can stay in %p/bin if the end user interface is backwards compatible.