rust-sqlite3-src bundles sqlite3

OpenSubmitted by Maxime Devos.
Details
One participant
  • Maxime Devos
Owner
unassigned
Severity
normal
M
M
Maxime Devos wrote on 15 Sep 23:22 +0200
(name . bug-guix)(address . bug-guix@gnu.org)
d98e6721-7fcc-8b13-db36-13c66ee08397@telenet.be
X-Debbugs-CC: Aleksandr Vityazev <avityazev@posteo.org>
X-Debbugs-CC: Nicolas Goaziou <mail@nicolasgoaziou.fr>
(^ the pseudo-header, IIUC)
The patch series 53315 by Aleksandr Vityazev and accepted by Nicolas
Goaziou adds a crate rust-sqlite3-src that bundles sqlite3.
Bundling is against Guix policy for the reasons explained in the manual
I ask to:
(a) Remove the bundled copy (and if needed, adjust build.rs to always
do the pkg-config)
or
(b) Remove rust-sqlite3-src and dependents.
Additionally, for the future, I ask to check packages for bundling, and
recommend the following tricks for detecting bundling:
* if a crate name ends with -sys, there is a good chance it bundles
things
* likewise, if the synopsis or description mentions 'Bindings',
there's a good chance it bundles things.
* if a crate name contains some variation of the word 'source'
(e.g., -src), that can indicate bundling.
* if the Cargo.toml mentions 'bundled', 'system' or 'vendor' its
[features], it is bundling things.
* if the source code of a Rust package contains a .c or .h file,
it's likely bundling things
I would like to note that the bundled copy (version 3.34.1) has known
bugs that were fixed in later versions (including a CVE), according to
the changelog on the sqlite website.
Greetings,
Maxime
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 16 Sep 12:33 +0200
(address . 57840@debbugs.gnu.org)(name . nicolas goaziou)(address . mail@nicolasgoaziou.fr)
cd0417de-ffc9-d73d-6c45-6692183ad978@telenet.be
Solved locally in antioxidant by adding 'sqlite' to the inputs of
rust-sqlite3-src and removing the 'source' directory in a snippet.
Greetings,
Maxime.
Attachment: OpenPGP_signature
?