-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What to do with xar #20
Comments
Problem with changing install_name is if upstream (or maintained fork) ever makes a change. However, on 10.11, only xar uses libxar1-shlibs. |
No reverse-depends on the lib (other than xar itself) in 10.13 either. |
For the record: |
If we're trying to provide newer xar to older systems, then we should use apple-oss-distributions. Simplest w/out locking us out of a possible future SONAME change is to stash the latest library into a private dir. The executable can stay in %p/bin if the end user interface is backwards compatible. |
Fink has xar-1.5.2, which is from 2007. Upstream (googlecode) has since been forked (github) and the googlecode project set to archive status around the 1.5.3 release. The github project's last release is 1.6.1 from 5 years ago. Apple now supplies xar also, calling it "1.6dev" in 10.9, "1.7dev" in 10.10, and "1.8dev" in 10.11 and beyond. All three of these vendors have a libxar.1.dylib, but none of their latest releases are ABI-compatible with each other (I'm not even sure apple's all are). And only Apple's 1.8dev library is immune to a recent CVE. I think there's value in continuing to roll our own package, for security on older platforms and ABI sanity on all, so we need a new package-names for the library (shlibs policy vs libxar1-shlibs/-dev). Should we bump the version value in install_name (libxar.2.dylib) and call the package libxar2-shlibs/-dev? Or bury the .dylib in a subdir and call the package libxar1-apple-shlibs/-dev? Or some other option?
The text was updated successfully, but these errors were encountered: