>
> On 27 May 2010 23:36, Geoffroy Couprie <[hidden email]> wrote:
>>
>> On Thu, May 27, 2010 at 10:29 PM, Igor Stasenko <[hidden email]> wrote:
>>>
>>> On 27 May 2010 20:37, Bert Freudenberg <[hidden email]> wrote:
>>>>
>>>> Squeak was recently removed from Gentoo Linux Ebuilds because of security issues in our bundled plugins:
>>>>
>>>>        http://bugs.gentoo.org/show_bug.cgi?id=247363
>>>>
>>>> While it is convenient for us to bundle external library sources, package maintainers do not like that practice. Is there anything we can realistically do about it?
>>>>
>>> Here's my argument:
>>>
>>> These libraries are bundled, because Squeak VM could be built on a
>>> system which having no such libraries provided by default.
>>> To ensure bit-identical behavior on all platforms, Squeak developers
>>> cannot rely on a platform-specific versions of these libraries,
>>> because they can vary from one system to another.
>>>
>>
>> If they're not there by default, you can still link dynamically to the
>> libraries and provide them with squeak. Also, if the libraries
>> provided by the distribution have the same major version as the one
>> you use, you can expect compatibility, and profit from the regular
>> updates.
>>
>
> You seem misunderstood a key point there: bit-identical behavior.
> Which means that VM should provide same output on same input on all platforms.
> Chances that it will be so, when you using different versions of same
> library are pretty low.
> So, we can update the libraries, bundled with VM, but can't link with
> them dynamically,
> because this undermines the above.
>
> --
> Best regards,
> Igor Stasenko AKA sig.