View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004810||The Dark Mod||Design/Coding||public||31.05.2018 19:18||10.04.2019 04:43|
|Product Version||TDM 2.06|
|Target Version||TDM 2.08||Fixed in Version||TDM 2.08|
|Summary||0004810: Stop shipping/using outdated bundles of dependencies|
|Description||TDM ships a lot of bundled dependencies, while most distributions ship significantly more recent version.|
DevIL 1.7.2, Sep. 2008, current: 1.8.0, Jan. 2017
libpng 1.4.5, Dec 2010, current: 1.6.34, Sep. 2017
libjpeg ?, May 2010, current: libjpeg-turbo, 1.5.3, Dec. 2017
Dito for curl, polarssl, zlib, ffmpeg.
All these libraries consume potentially untrusted input.
libpng: several, see http://www.libpng.org/pub/png/libpng.html
libjpeg: several, e.g. CVE-2013-6629
|Tags||No tags attached.|
While updating the dependencies is definitely a good idea, I wouldn't worry so about vulnerabilities.
We have a game engine (originally written by ID team). And no one ever cared about it safety. It includes so many vulnerabilities on its own, that dependencies are the least culprit if you start thinking about it.
One minor note for the dependencies update:
If all dependencies (after boost removal, I suppose) can be easily compiled on every platform, then perhaps include build scripts instead of libraries.
Well, this is an idea to investigate, at least.
Why not just use what is available on the system?
I have created a build which uses libpng, libjpeg, ffmpeg, zlib, DevIL from the system, and it builds and runs fine.
The whole package (tdm and tdm_update) is just 4MByte. It includes all the security fixes and performance improvements of the last years (e.g. usage of AVX instructions in libjpeg-turbo and ffmpeg).
For Windows and MacOS, shipping the dependencies might be necessary, but I doubt anyone is building tdm on Linux and is unable to install some more dependencies.
For the package and patches, see https://build.opensuse.org/package/show/home:StefanBruens:branches:games/thedarkmod
As a part of related issue 0004822, I have updated all dependencies in svn rev 8158 (branch 3rdparty_4822 merged) and svn rev 8161.
Usually I chose the most recent version of library available in conan package manager.
I believe we should continue linking all dependencies in statically on both Windows and Linux. We have non-tech-savvy Linux players, who have no idea how to build stuff: they just download the binary and run it. For this use case to work without issues, it is important to NOT use any system dependency, and instead link everything statically.
I assume that this way also removes any issues due to differences in Linux distributions, although I am not sure here.
Anyway, I'm pretty sure that it is now much easier to switch build to system dependencies if you want. Just search for "ThirdParty" keyword in scons files, there would be two places: include paths and static libs. Adjust them to system stuff, and it should work.
I thought about adding an option to scons build for using system dependencies. If there is demand, please create new issue.
|31.05.2018 19:18||StefanB||New Issue|
|01.06.2018 13:07||stgatilov||Note Added: 0010487|
|01.06.2018 13:07||stgatilov||Assigned To||=> stgatilov|
|01.06.2018 13:07||stgatilov||Status||new => assigned|
|04.06.2018 03:49||stgatilov||Relationship added||related to 0004817|
|05.06.2018 01:38||stgatilov||Note Added: 0010499|
|05.06.2018 16:20||stgatilov||Relationship added||related to 0004822|
|05.06.2018 16:46||StefanB||Note Added: 0010500|
|06.06.2018 03:57||stgatilov||Relationship added||related to 0004533|
|20.01.2019 07:17||stgatilov||Target Version||=> TDM 2.08|
|10.04.2019 04:42||stgatilov||Note Added: 0011720|
|10.04.2019 04:43||stgatilov||Status||assigned => resolved|
|10.04.2019 04:43||stgatilov||Fixed in Version||=> TDM 2.08|
|10.04.2019 04:43||stgatilov||Resolution||open => fixed|