status of forked zlibs in rsync and zsync

Wed Sep 30 18:34:14 UTC 2009

On 09/30/2009 10:43 AM, Michael Schroeder wrote:
> On Wed, Sep 30, 2009 at 10:27:44AM -0700, Toshio Kuratomi wrote:
>> So... that means the custom zlib isn't necessary to the proper operation
>> of deltarpm, correct?  I haven't looked at where in the code this is
>> being used yet but I'm guessing this zlib is used when:
>>
>> 1) Reading the existing rpm -- this should work with vanilla zlib as well
>> 2) Compressing the deltarpm -- this should work with vanilla zlib, just
>> not be as kind to rsync.
> 
> No, things are a bit different. Fedora's rpm used to have a
> modified copy of zlib so that the created rpms were more rsync
> friendly. As deltarpm needs to recreate the same compressed
> payload I also had to support this.
> 
<nod>  -- So historically, this bundled library seemed like a good idea
for the *same* reason as the rsync/zsync situation.  You had the need to
produce the same format with deltarpm as rpm did with its bundled and
forked private zlib.  Since neither the rpm maintainer nor you wanted to
be responsible externally for the forked copy, you just bundled the same
version of zlib as they did.

At some point, rpm maintainers asserted sanity on their situation and
began to build against the system zlib, discarding the rsync patch in
favor of maintainability.  deltarpm didn't catch on to that change so it
continued to ship a forked copy.  Eventually, the fork failed to update
with the latest version of zlib and so it began to ship with a known
vulnerability that had already been fixed in the main zlib package.  And
that's how we got to where we are today.

> AFAIK the current rpm uses the system's zlib library, so the
> deltarpm copy is also no longer needed for Fedora.
> 
Interesting.  That's slightly puzzling though.  That would mean that
deltarpm wasn't able to create the same compressed payload on Fedora
where Fedora's rpm used the system zlib, correct?

That would mean rpm-4.4.2.2, at least as far back as Fedora 10.  Yet we
were testing deltarpms for Fedora 10 and Fedora 11, correct?

I'm building new deltarpm packages for F-10, F-11 now.  F-12 and devel
are built.  I'm not sure what to do about EPEL -- EL-4's rpm is
pre-rpm-4.4.2.2.  EL-5's rpm starts off at rpm-4.4.2 but by the time we
hit RHEL-5.4 we're past rpm-4.4.2.2 so it's okay.  Also, the
infrastructure builders are going to need to be updated.  Since it
appears we're only building deltarpms for the Fedora repos, I think it's
safe to build that package with system zlib as well.

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090930/f10ca01d/attachment.sig>