Re: [Cucumber-linux-development] The Build Process for Cucumber Linux 2.0
A general purpose desktop and server Linux distribution.
Brought to you by:
z5t1
From: Scott C. <sc...@cu...> - 2018-05-16 14:52:28
|
I had not looked into using NetBSD curses instead of ncurses. Thanks for sharing. It's an interesting idea, and looking into it now here are my thoughts: Pros: 1. Security. Ncurses has a lot of security related problems (see https://security.cucumberlinux.com/security/table.php?type=ALL&page_size=10&search=ncurses, and that's just since last September). The upstream developers do a really poor job of addressing them. NetBSD curses has had significantly fewer vulnerabilities in that same amount of time. This is probably at least partially due to the fact that NetBSD curses has a substantially smaller user base than Ncurses, so I'm not really sure that NetBSD curses is necessarily more secure than Ncurses. Also the NetBSD project as a whole is not too concerned with security so this could be a con as well. That being said though NetBSD curses does have a substantially smaller code base, which means less attack surface which generally (but not always) correlates to fewer vulnerabilities and better security. 2. Less bloat, and consequentially faster execution. 3. Simpler design, which is easier to understand. Cons: 1. Lack of features. NetBSD curses does not support all of the features of Ncurses. This means there will be some code breakage if we do make the switch, which will likely force us to create our own patches to get certain applications to work. 2. Poorer documentation. Ncurses is very well documented, whereas NetBSD curses is not. There are several cases where the only documentation for NetBSD curses is the actual header files. This would make our job substantially harder, and it would also make it more difficult for end user to develop/compile programs using curses. 3. Smaller support base. It appears that Sabotage Linux is the only group maintaining a portable version of NetBSD curses, and they apparently have only two developers (I can't knock them for this though because we don't really have them beat by far). That being said, their curses repository hasn't seen a commit in over five months, their primary repository (https://github.com/sabotage-linux/sabotage) hasn't seen a commit since the beginning of April and their mailing list has been silent for over two years. That being the case, if we do adopt NetBSD curses there is a good chance we will ultimately have to maintain the portable version ourselves. 4. Stability. Pretty much everything is designed to use Ncurses. NetBSD curses changes certain behaviors in very subtle ways (see https://wiki.netbsd.org/curses_in_netbsd/). Furthermore these discrepancies are not well documented. I'm worried that the switch would have a negative impact on the stability of curses applications and consequentially the stability and usability of the distribution as a whole. So looking at all of this now, it looks like if we do make the switch we will likely have to maintain our own curses library. This includes security fixes, porting new features and fixing stuff in other packages when they break as a result of this. I can't speak for the other developers here, put I personally am not in a position to take on that sort of commitment on top of everything else. If you or any other developers would be seriously interested in taking on this responsibility, then we can discuss this further. Otherwise I believe we should stick with Ncurses. - Scott On 05/16/2018 07:39 AM, LM wrote: > Was looking through the packages list for Phase II. Was wondering if > anyone has looked into using BSD-curses ( > https://github.com/sabotage-linux/netbsd-curses ) as an alternative to > ncurses. I know a few other Linux distributions that have made the > switch. Think it's great that you're using packages like libressl > instead of openssl and eudev, sysvinit instead of the systemd > packages. > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Cucumber-linux-development mailing list > Cuc...@li... > https://lists.sourceforge.net/lists/listinfo/cucumber-linux-development |