[Bug 1595] Review request: tarsnap - Online encrypted backup service (client)

Sun Jan 9 06:01:17 CET 2011

http://bugzilla.rpmfusion.org/show_bug.cgi?id=1595

--- Comment #1 from Ricky Zhou <ricky at rzhou.org>  2011-01-09 06:01:16 ---
One note on this package - it contains a bundled libarchive (although note that
the author of tarsnap is one of the authors of libarchive).

The author gave the following justification for bundling:

01:56:41 < rzhou> I wonder if the patches to libarchive in tarsnap would be
accepted by upstream.
04:01:38 <@cperciva> rzhou: most of them already are upstream
04:01:55 <@cperciva> rzhou: the changes which are left are too esoteric to be
useful in libarchive
04:14:42 < rzhou> Ah :-/  I'm afraid that I might run into issues submitting
tarsnap to rpmfusion 
                  because of the bundled library.
04:15:17 < rzhou> (They use Fedora's packaging guidelines, which doesn't allow
bundled libraries: 
                  http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries)
04:18:43 <@cperciva> rzhou: the reasons given there don't really apply in this
case
04:19:57 <@cperciva> rzhou: I'm one of the authors of libarchive; the lead
developer prefers to have 
                     tarsnap bundle libarchive rather than pushing my changes
into libarchive; I'm 
                     the FreeBSD security officer so I'll be very familiar with
any security issues 
                     in libarchive; etc.
04:21:46 <@cperciva> rzhou: In general I think a no-bundled-libraries policy is
a very good one to 
                     have -- but tarsnap and libarchive is quite distinctly a
special case
04:22:50 < rzhou> Hm.  I guess I'll go ahead and submit it and see if it can
get an exemption.  It 
                  does seem like a shame that the code differences between
tarsnap's version and the 
                  original are that tiny.
04:23:27 <@cperciva> rzhou: another reason actually is that tarsnap makes some
assumptions about 
                     libarchive's behaviour beyond what's strictly guaranteed
by the libarchive APIs
04:24:02 <@cperciva> rzhou: so even if the tarsnap changes to libarchive were
pushed upstream, 
                     tarsnap wouldn't be able to depend on an external
libarchive package safely
04:24:57 < rzhou> Ah, that would definitely be relevant to mention - mind if I
include a transcript 
                  of this conversation in the package review?
04:25:15 <@cperciva> rzhou: go ahead
04:25:33 < rzhou> Cool, thanks for the explanation.
04:25:50 <@cperciva> rzhou: no problem, thanks for doing the work to package
tarsnap!
04:27:48 <@cperciva> rzhou: feel free to encourage the reviewers to contact me
directly if they need 
                     to know anything else about how tarsnap works / why it
does what it does

-- 
Configure bugmail: http://bugzilla.rpmfusion.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
You are the assignee for the bug.