search

borgbackup / borg

Deduplicating archiver with compression and authenticated encryption.
https://www.borgbackup.org/
Other
10.74k stars 734 forks source link

borg 1.4 - remove bundled 3rd party software #8094

Closed ThomasWaldmann closed 4 months ago

ThomasWaldmann commented 4 months ago

borg up to and including 1.2.x includes these 3rd party packages (as source code):

In master branch (future borg2), these were removed - meaning that the respective requirement must be met by a library and headers installed on the OS at build time (and the library being present at runtime).

I recently updated the bundled lz4, zstd and xxhash versions to their most recent stable releases (in borg 1.4-maint branch).

But after that, I thought maybe these should be removed completely and borg 1.4 should always use the libraries (the borg package should pull the libraries via a package requirement).

For linux (bsd, macOS, ...) package maintainers this might mean adding these library requirements - if they didn't already do that since long. Usually using separate library packages is the preferred way due to simpler security and bug fix updates of these.

borg 1.x uses the libraries by default except if the binary package builder sets BORG_USE_BUNDLED_... environment variable or the respective library is either not installed or can not be found.

So, I need some feedback about this: would removing the bundled code be an issue for anybody? If so, speak up below and hold me back!

Note: this does not apply to the pyinstaller-made "fat binary" downloads offered on the github releases page - they always include everything needed (python, libraries, ...).

ThomasWaldmann commented 4 months ago

@LocutusOfBorg @FelixSchwarz @bket ^^^

ThomasWaldmann commented 4 months ago

BTW, a nice side-effect of this would be that our setup*.py code could be reduced / simplified significantly (compare master to current 1.4-maint).

FelixSchwarz commented 4 months ago

In recent versions Fedora + EPEL were are not shipping any bundled dependencies. The proposed version requirements are no problem at least in Fedora + EPEL 9. EPEL 8 still ships borgbackup "1.1-maint" and so far I'm not planning to update it (though it might become an issue if there is a security vulnerability which I can not fix easily).

So +1 from me.

LocutusOfBorg commented 4 months ago

+1 from me too

LocutusOfBorg commented 4 months ago

This is what our clean target actually does:

override_dh_clean:
        dh_clean
        # make sure system libraries are used
        find . -name blake2.h -delete
        find . -name lz4.h -delete
        find . -name zstd.h -delete
        find . -name xxhash.h -delete
        find . -name xxhash.c -delete

And we build-depend on libzstd-dev, liblz4-dev, libxxhash-dev,

bket commented 4 months ago

OpenBSD is not shipping with bundled dependencies, so no issue here. Deps version requirements are ok.

ThomasWaldmann commented 4 months ago

Thanks for the feedback. Guess I'll wait a while if somebody wants to hold me back and if not: remove the bundled stuff, simplify setup*.py (in 1.4-maint).

For a while, there is the option to stay on borg 1.2.x if anybody needs the bundled stuff until the lib dependencies have been packaged or someone has made a "build all from sources" script.

ThomasWaldmann commented 4 months ago

Fixed by #8117.