Re: [Cucumber-linux-development] The Build Process for Cucumber Linux 2.0
A general purpose desktop and server Linux distribution.
Brought to you by:
z5t1
Menu
▾
▴
Re: [Cucumber-linux-development] The Build Process for Cucumber Linux 2.0
|
From: Scott C. <sc...@cu...> - 2018-05-16 14:52:28
|
I had not looked into using NetBSD curses instead of ncurses. Thanks for
sharing. It's an interesting idea, and looking into it now here are my
thoughts:
Pros:
1. Security. Ncurses has a lot of security related problems (see
https://security.cucumberlinux.com/security/table.php?type=ALL&page_size=10&search=ncurses,
and that's just since last September). The upstream developers do a
really poor job of addressing them. NetBSD curses has had
significantly fewer vulnerabilities in that same amount of time.
This is probably at least partially due to the fact that NetBSD
curses has a substantially smaller user base than Ncurses, so I'm
not really sure that NetBSD curses is necessarily more secure than
Ncurses. Also the NetBSD project as a whole is not too concerned
with security so this could be a con as well. That being said though
NetBSD curses does have a substantially smaller code base, which
means less attack surface which generally (but not always)
correlates to fewer vulnerabilities and better security.
2. Less bloat, and consequentially faster execution.
3. Simpler design, which is easier to understand.
Cons:
1. Lack of features. NetBSD curses does not support all of the features
of Ncurses. This means there will be some code breakage if we do
make the switch, which will likely force us to create our own
patches to get certain applications to work.
2. Poorer documentation. Ncurses is very well documented, whereas
NetBSD curses is not. There are several cases where the only
documentation for NetBSD curses is the actual header files. This
would make our job substantially harder, and it would also make it
more difficult for end user to develop/compile programs using curses.
3. Smaller support base. It appears that Sabotage Linux is the only
group maintaining a portable version of NetBSD curses, and they
apparently have only two developers (I can't knock them for this
though because we don't really have them beat by far). That being
said, their curses repository hasn't seen a commit in over five
months, their primary repository
(https://github.com/sabotage-linux/sabotage) hasn't seen a commit
since the beginning of April and their mailing list has been silent
for over two years. That being the case, if we do adopt NetBSD
curses there is a good chance we will ultimately have to maintain
the portable version ourselves.
4. Stability. Pretty much everything is designed to use Ncurses. NetBSD
curses changes certain behaviors in very subtle ways (see
https://wiki.netbsd.org/curses_in_netbsd/). Furthermore these
discrepancies are not well documented. I'm worried that the switch
would have a negative impact on the stability of curses applications
and consequentially the stability and usability of the distribution
as a whole.
So looking at all of this now, it looks like if we do make the switch we
will likely have to maintain our own curses library. This includes
security fixes, porting new features and fixing stuff in other packages
when they break as a result of this. I can't speak for the other
developers here, put I personally am not in a position to take on that
sort of commitment on top of everything else. If you or any other
developers would be seriously interested in taking on this
responsibility, then we can discuss this further. Otherwise I believe we
should stick with Ncurses.
- Scott
On 05/16/2018 07:39 AM, LM wrote:
> Was looking through the packages list for Phase II. Was wondering if
> anyone has looked into using BSD-curses (
> https://github.com/sabotage-linux/netbsd-curses ) as an alternative to
> ncurses. I know a few other Linux distributions that have made the
> switch. Think it's great that you're using packages like libressl
> instead of openssl and eudev, sysvinit instead of the systemd
> packages.
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Cucumber-linux-development mailing list
> Cuc...@li...
> https://lists.sourceforge.net/lists/listinfo/cucumber-linux-development
|
