Opened 12 years ago

Closed 12 years ago

Last modified 10 years ago

#2071 closed Bug (wontfix)

allow system copy of miniupnpc to be used

Reported by: ssuominen Owned by: charles
Priority: Normal Milestone: None Set
Component: Transmission Version: 1.61
Severity: Normal Keywords: patch-needed
Cc:

Description

Transmission 1.61 bundles a copy of miniupnpd, version 1.3 if I'm not mistaken. It doesn't allow the user to select a library installed in system instead, which is a potential security issue for distribution packages and a small overhead.

Please provide a way to use the system library.

Reference, http://bugs.gentoo.org/show_bug.cgi?id=269082

Change History (9)

comment:1 Changed 12 years ago by charles

  • Keywords patch-needed added
  • Owner set to charles
  • Status changed from new to assigned
  • Version changed from 1.60+ to 1.61

I think probably we should add an option in configure.in to use the system libraries instead of the ones in third-party. If want to cook up a patch for this, I'd likely put it into the next release.

In the meantime, I'm a little suspicious of the "potential security issue" language here, especially since you used the same boilerplate text in #2070. Is there an actual advisory you're referring to?

comment:2 Changed 12 years ago by charles

  • Summary changed from Transmission 1.61 (and previous releases) bundles a copy of miniupnpd to allow system copy of miniupnpc to be used

comment:3 Changed 12 years ago by ssuominen

I meant by "potential security issue" that if the bundled library gets one, we need to track down every application in our Portage tree (thousands of applications) to find out where it's used, instead of patching it only in the system lib. Please try to see the issue from packagers point of view.

I'll try to hack up a patch for this in coming days.

comment:4 Changed 12 years ago by charles

ssuominen: any progress on this?

comment:5 Changed 12 years ago by charles

ssuominen: ping

comment:6 Changed 12 years ago by charles

ssuominen: any news?

comment:7 Changed 12 years ago by charles

ssuominen: the reason I keep pinging is that 1.70 is upcoming, and I'd like to get your patch into that release. Can you have the patch ready in the next couple of days?

comment:8 Changed 12 years ago by charles

  • Resolution set to wontfix
  • Status changed from assigned to closed

miniupnpc is a great library. and after completing this ticket's sibling libevent ticket, I set out to try to implement this one too, for Transmission 1.70. But it's not going to happen... the risk/reward ratio is a lot worse for miniupnpc than for libevent.

Cutting out libevent saves us 16,000 lines of code. More importantly, libevent has had a stable binary interface for about two years now.

Miniupnpc is less than 1/5th the size of libevent. And in the same two year period, there have been four different binary interfaces: it changed in the 2007/12/13, 2008/10/02, and 2009/01/29 releases. Moreover it's nearly impossible to tell which version of miniupnpc you've got -- the *only* info is kept in MINIUPNPC_VERSION_STRING, but it reads "1.2" for both versions 1.2 and 1.3, so the only reliable way is to try and compile the different function APIs and see which ones survive the compile.

If you still feel up to this task, please reopen this ticket when you have a clean patch ready.

comment:9 Changed 10 years ago by jordan

Ticket #4323 has been closed as a duplicate of this ticket.

Last edited 10 years ago by jordan (previous) (diff)
Note: See TracTickets for help on using tickets.