Opened 14 years ago

Closed 14 years ago

Last modified 12 years ago

#2071 closed Bug (wontfix)

allow system copy of miniupnpc to be used

Reported by: ssuominen Owned by: charles
Priority: Normal Milestone: None Set
Component: Transmission Version: 1.61
Severity: Normal Keywords: patch-needed


Transmission 1.61 bundles a copy of miniupnpd, version 1.3 if I'm not mistaken. It doesn't allow the user to select a library installed in system instead, which is a potential security issue for distribution packages and a small overhead.

Please provide a way to use the system library.


Change History (9)

comment:1 Changed 14 years ago by charles

  • Keywords patch-needed added
  • Owner set to charles
  • Status changed from new to assigned
  • Version changed from 1.60+ to 1.61

I think probably we should add an option in to use the system libraries instead of the ones in third-party. If want to cook up a patch for this, I'd likely put it into the next release.

In the meantime, I'm a little suspicious of the "potential security issue" language here, especially since you used the same boilerplate text in #2070. Is there an actual advisory you're referring to?

comment:2 Changed 14 years ago by charles

  • Summary changed from Transmission 1.61 (and previous releases) bundles a copy of miniupnpd to allow system copy of miniupnpc to be used

comment:3 Changed 14 years ago by ssuominen

I meant by "potential security issue" that if the bundled library gets one, we need to track down every application in our Portage tree (thousands of applications) to find out where it's used, instead of patching it only in the system lib. Please try to see the issue from packagers point of view.

I'll try to hack up a patch for this in coming days.

comment:4 Changed 14 years ago by charles

ssuominen: any progress on this?

comment:5 Changed 14 years ago by charles

ssuominen: ping

comment:6 Changed 14 years ago by charles

ssuominen: any news?

comment:7 Changed 14 years ago by charles

ssuominen: the reason I keep pinging is that 1.70 is upcoming, and I'd like to get your patch into that release. Can you have the patch ready in the next couple of days?

comment:8 Changed 14 years ago by charles

  • Resolution set to wontfix
  • Status changed from assigned to closed

miniupnpc is a great library. and after completing this ticket's sibling libevent ticket, I set out to try to implement this one too, for Transmission 1.70. But it's not going to happen... the risk/reward ratio is a lot worse for miniupnpc than for libevent.

Cutting out libevent saves us 16,000 lines of code. More importantly, libevent has had a stable binary interface for about two years now.

Miniupnpc is less than 1/5th the size of libevent. And in the same two year period, there have been four different binary interfaces: it changed in the 2007/12/13, 2008/10/02, and 2009/01/29 releases. Moreover it's nearly impossible to tell which version of miniupnpc you've got -- the *only* info is kept in MINIUPNPC_VERSION_STRING, but it reads "1.2" for both versions 1.2 and 1.3, so the only reliable way is to try and compile the different function APIs and see which ones survive the compile.

If you still feel up to this task, please reopen this ticket when you have a clean patch ready.

comment:9 Changed 12 years ago by jordan

Ticket #4323 has been closed as a duplicate of this ticket.

Last edited 12 years ago by jordan (previous) (diff)
Note: See TracTickets for help on using tickets.