David A. Wheeler's Blog

Fri, 19 Sep 2008

Developers: Use System Libraries!

The packagers from a variety of GNU/Linux distributions are informally uniting to tell software developers a simple story: “Use system libraries - don’t create local copies of libraries!”

The latest push came from Toshio Kuratomi’s email “Uniting to get upstreams to use system libraries”. Fedora, like most distributions, has a guideline that “a package should not link against a local copy of a library… libraries should be included in the system and applications should link against that [instead]”. Toshio lists two reasons why this guideline exists (I know there are other reasons too):

  1. Doing otherwise is a “losing proposition” when trying to fix security issues in a library.
  2. “applications that include their own copies of libraries are often tempted to apply their own bugfixes and feature enhancements to the library. That makes it harder to port the application to new versions of the library and runs counter to the open source philosophy of helping to improve the library for everyone.”

I’m big on security, so reason #1 is a good-enough reason to me. The Fedora packaging rules note that the fixes aren’t actually limited to security issues; not duplicating system libraries “prevents old bugs and security holes from living on after the core system libraries have been fixed.” But I think the more important reason is hinted at in the last part of reason #2. No one - not even a big FLOSS project - has infinite resources. Different people will find different problems when they use a library. If the many different applications that use a library report problems back to the library maintainers, the library maintainers can fix the problem. Then, the fix will benefit everyone who depends on the library. If every application has their own local variant of a library, then each one will have defects that were fixed in other variants.

Toshio then notes: “In the world of C applications and libraries, we don’t often run into this problem anymore. Most C application developers have learned the same lessons we have. However, in the java, mono/.net, and web application worlds, this [duplication of libraries is still] a common practice. Sometimes our packagers find themselves trying to convince upstream to change what they do without success — upstream is convinced that they need to include these local copies.” In some cases (particularly for Java), there were historical reasons that they had to do this due to licensing. But as those reasons have diminished, the practices haven’t gone away.

Fedora, Debian, openSUSE, Gentoo, and Mandriva all have policies/guidelines specifically recommending or requiring that packages not have their own special copies of libraries. All of these distributions clearly explain that applications should use normal libraries instead. Unfortunately, software developers for non-C programs don’t seem to be hearing the message. That makes it really hard to package those programs for use by end-users. As a result, applications are often harder to install, or the easily-installed versions are much delayed, because of unnecessary difficulties in packaging the program for end-users.

Yes, in a few cases a special copy of a library may be necessary. Granted. But it’s often unnecessary, and it should be the exception, not the rule. At the very least, it should be trivial to build a FLOSS application from source code so that it uses the system’s libraries instead of some local copy of the libraries.

So developers, please, try to work with the standard libraries instead of creating your own modified copy. Packagers - and users - around the world will thank you.

path: /oss | Current Weblog | permanent link to this entry