Hacker News new | ask | show | jobs
by chriswarbo 3882 days ago
> Because a dedicated library could change its API in version 2.0, and at the same time fix important security flaws.

The correct thing to do is back-port fixes to the 1.x branch, or come up with an alternative fix if the 1.x/2.x transition changes too much (in the latter case, the 1.x and 2.x versions would essentially be different libraries which just-so-happen to share the same name). Anyone can (attempt to) do this patch, including the library authors, the browser authors (who may be the same people), or any other users of the library.

If upstream don't accept such patches, and repeatedly indulge in such uncooperative behaviour, there is always the option to fork (and, in the process, perhaps strip out the parts which the browser doesn't need to make maintenance easier).

As an aside, the situation you describe sounds a lot like the Firefox/Iceweasel drama in Debian!
2 comments
leni536 3882 days ago
> Firefox/Iceweasel drama Was it a drama though? AFAIK it was pretty much drama free. Debian wanted to backport security fixes themselves but it wouldn't have complied with Firefox's trademark policy. So they just changed the name/icon and didn't make a big deal out of it.
link
pixl97 3882 days ago
The end user doesn't care about the correct thing, they just want their web browser to work and to not break any other applications in their operating system. Working and not breaking other stuff is 'the correct thing', being secure is also 'the correct thing' so the culmination of these two leads to 'the browser contains all the libraries it needs'. This whole forking crap is exactly the last thing the end user wants or needs to care about.
link
chriswarbo 3882 days ago
> The end user doesn't care about the correct thing

I think both of our definitions of "correct" coincide.

The reason to use libraries is precisely so that the applications will work, not break each other, be secure, etc.

The article talks about different browsers supporting different sub-sets of possible BMPs; from a user perspective, I wouldn't call that working.

> the culmination of these two leads to 'the browser contains all the libraries it needs'

This doesn't conflict with what I said. Write as many libraries as you like. Grab as many third-party ones as you want. Use OS-provided ones if you prefer that. Bundle them with your browser, I don't care. Statically link the binaries if it makes things easier. Keep copies of the libraries in your browser's source control if you think that's best. I wasn't addressing any of that.

My point was to use libraries; regardless of who writes them, how they're distributed, how they're linked, etc.

> This whole forking crap is exactly the last thing the end user wants or needs to care about.

Erm, exactly? Nobody likes to fork a project. It's a last resort for bad situations. End users certainly do care when devs steer a project off course; hell, just look at the outcry that happens whenever some social media site changes its colour scheme a little!

link