MongoDB 2.0 Released

34 views
Skip to first unread message

Eliot Horowitz

unread,
Sep 12, 2011, 11:33:25 AM9/12/11
to mongod...@googlegroups.com, mongo...@googlegroups.com, mongodb-...@googlegroups.com
MongoDB 2.0 has been released.

Please read all the details here:
http://blog.mongodb.org/post/10126837729/mongodb-2-0-released

Downloads: http://www.mongodb.org/downloads

-Eliot

Ultrabug

unread,
Sep 13, 2011, 7:59:40 AM9/13/11
to mongo...@googlegroups.com, ric...@10gen.com
Hello,

I would please like to discuss and understand the new third_party
bundled libs and express my concerns as a Gentoo Linux packager of MongoDB.

*pcre-7.4* : apart from being out of date, this version suffers from
CVE-2008-0674 security leak [1]. It also looks to fail at compiling on
recent gcc [2] (tho more digging would be needed on that one).

I also permit myself to question the need of shipping/forcing
spidermonkey-1.7 & snappy as bundled third_party software as before the
2.x series of MongoDB we had no problem using distro packaged versions
of those dependencies.

-> Could you please explain why your changed this behavior and are now
shipping those dependencies yourself ? Did you make some major changes
and fix the vulnerability issue for example ?

We would definitely be more comfortable following your recommended dep.
versions instead of having to patch or deal with obsolete/vulnerable
bundled software.

As a side note about the build system, we are today patching scons to
respect users' compilation flags, you'll find the patch attached. Could
you please consider it aswell ?

Thank you very much for your work and answers.

Ultrabug, Gentoo developer

[1] https://bugs.gentoo.org/209067
[2] http://dpaste.org/6nH97/

mongodb-2.0-fix-scons.patch

Eliot Horowitz

unread,
Sep 13, 2011, 8:59:42 AM9/13/11
to mongo...@googlegroups.com
The general reason for bundling is that we can enforce using versions
that we know work well.
We were finding lots of issues with people using different versions of
libraries causing problems.

See these 2 cases to address some of your issues:
https://jira.mongodb.org/browse/SERVER-3827
https://jira.mongodb.org/browse/SERVER-3829

> --
> You received this message because you are subscribed to the Google Groups "mongodb-dev" group.
> To post to this group, send email to mongo...@googlegroups.com.
> To unsubscribe from this group, send email to mongodb-dev...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mongodb-dev?hl=en.
>
>

Chris Lalancette

unread,
Sep 13, 2011, 9:14:40 AM9/13/11
to mongo...@googlegroups.com, ric...@10gen.com
On 09/13/11 - 01:59:40PM, Ultrabug wrote:
> Hello,
>
> I would please like to discuss and understand the new third_party
> bundled libs and express my concerns as a Gentoo Linux packager of MongoDB.
>
> *pcre-7.4* : apart from being out of date, this version suffers from
> CVE-2008-0674 security leak [1]. It also looks to fail at compiling on
> recent gcc [2] (tho more digging would be needed on that one).
>
> I also permit myself to question the need of shipping/forcing
> spidermonkey-1.7 & snappy as bundled third_party software as before the
> 2.x series of MongoDB we had no problem using distro packaged versions
> of those dependencies.
>
> -> Could you please explain why your changed this behavior and are now
> shipping those dependencies yourself ? Did you make some major changes
> and fix the vulnerability issue for example ?
>
> We would definitely be more comfortable following your recommended dep.
> versions instead of having to patch or deal with obsolete/vulnerable
> bundled software.

I'll point out that we are going to have a similar problem packaging 2.0 for
Fedora, as Fedora forbids bundled libraries in applications. We typically
resolve this either by using a compile flag to disable bundled libraries, or
by stripping out the bundled libraries and patching where necessary to use the
system libraries. We obviously prefer the former as that is maintained by
upstream; I have not looked at 2.0 yet to determine if there is a compile-time
flag for this.

--
Chris Lalancette

Ultrabug

unread,
Sep 13, 2011, 10:59:57 AM9/13/11
to mongo...@googlegroups.com
Thanks for your quick reply.

On 13/09/2011 14:59, Eliot Horowitz wrote:
> The general reason for bundling is that we can enforce using versions
> that we know work well.
> We were finding lots of issues with people using different versions of
> libraries causing problems.
>

On a long term planning side from at least our packaging PoV, we need to
take into account that those libs also evolve and will eventually get
obsolete/removed on distros, so you may also consider benefiting from
their evolution instead of fixing them in time with bundling (even if
it's easier said than done, with all due respect).

> See these 2 cases to address some of your issues:
> https://jira.mongodb.org/browse/SERVER-3827
> https://jira.mongodb.org/browse/SERVER-3829

Indeed, so we'll have to wait for 2.0.1, oh well :)

Would you mind commenting on the pcre vulnerability issue and on the
provided patch please ?

Kindly,

Dwight Merriman

unread,
Sep 13, 2011, 11:33:49 AM9/13/11
to mongo...@googlegroups.com
i don't know enough about the make process details to comment on the patch, but we will use a newer pcre in the future.

i'm not sure but i suspect -ggdb might make the stack traces logged meaningful and possible, not sure.

Eliot Horowitz

unread,
Sep 13, 2011, 11:57:36 AM9/13/11
to mongo...@googlegroups.com
Te: the patch, the environ changes are probably ok, not sure if they
need to be checked for environments without those set.

The other changes definitely aren't as is.

-O3 is very important for performance
-Werror is generally good to have unless there is a very good reason not to
-ggdb is required for debugging at all. we usually strip known good
binaries but keep copies with symbols

Ultrabug

unread,
Sep 14, 2011, 5:20:39 AM9/14/11
to mongo...@googlegroups.com
Without going too deep on arguing, I'll just give our point of view on
those points and then leave it to your development decisions.

That being said, all the above proposals should be totally transparent
to your building system and let you too have a choice :). This would not
prevent you from packaging/building MongoDB with your own recommended
flags anyway.

On 13/09/2011 17:57, Eliot Horowitz wrote:
> Te: the patch, the environ changes are probably ok, not sure if they
> need to be checked for environments without those set.
>
> The other changes definitely aren't as is.
>
> -O3 is very important for performance

It can also hurt performances, it's all about cases of application,
that's why we ask for respect of users' choices/optimizations.

> -Werror is generally good to have unless there is a very good reason not to

I'll leave it to my fellow developer Flameeyes posts here [1], he's
discussed and explained this matter already and is way more experienced
on the subject than I am. This link [2] explains it all on this
particular matter.

> -ggdb is required for debugging at all. we usually strip known good
> binaries but keep copies with symbols

This includes debug information and slows down builds. As much as I
understand those infos are essential to you, it's not always the case
for everyone. Maybe a switch would be enough.

>
> On Tue, Sep 13, 2011 at 10:59 AM, Ultrabug <ultr...@ultrabug.net> wrote:
>> Would you mind commenting on the pcre vulnerability issue and on the
>> provided patch please ?
>>
>>
>

Thank you again for hearing us.

Kindly,

[1]
http://www.google.com/cse?cx=partner-pub-5680461976565009%3Ahtpskt-of33&ie=UTF-8&sa=Search&q=Werror
[2]
http://blog.flameeyes.eu/2009/02/25/future-proof-your-code-dont-use-werror

Reply all
Reply to author
Forward
0 new messages