go to bug id or search bugs for
It is a lot more cumbersome for distros to create packages for bundled software especially from a QA and security standpoint. The security standpoint stands out the most because modified bundled libraries have not been fully vetted by software security teams and their vulnerabilities can easily be leveraged by attackers if the bundled library is older and contains known vulnerabilities or if the internal modifications to them create vulnerabilities.
It is better not to bundle unrar and use the actual unrar library that is provided by rarlabs. According to the README, some modifications were made to this bundled library:
"Some modifications have been applied to the UnRAR library, mainly to allow
streaming extraction of files without using threads."
Is there any reason why hese changes cannot be committed upstream and turned on/off using a configure flag so that you don't have to bundle this library?
package should depend on unrar library with needed patches pushed upstream.
package bundles unrar
Add a Patch
Add a Pull Request
AFAIK vanilla unrar sources didn't even compile with PHP since it uses the same
constants in its headers, so at least one modification is indeed required.
I didn't contact the authors of unrar mostly because I thought they would feel
reluctant to change their sources just because somebody else happens to use similar
constants, but I guess we can try to do it after all.
Is it possible for you to issue a patch file to convert a version downloaded from rarlab into a suitable version for this library?
For example. Fileinfo extension provides a libmagic.patch to convert upstream into a version able to be used to PHP.
Something like this could be useful to help backporting newer versions in the future.
Sure, it's pretty simple. I'll look into it on the next week.
Re-assigning this to the current maintainer (so he can get some notice that this bug is now available!)