 So welcome everyone We have a next presenter here. I would like to introduce you beat on rule who is the software engineer at redhead He has been with redhead for more than five years and he's Mainly working on Ruby Related things and packages We will present you all sort of flavors of bundling so floor is yours So can you hear me? Hi, how are you doing today? Thank you for having me here, and my name is we don't know and today I'd like to talk about bundling a bit You might wondering first why why I want to want speak about bundling and This this talk was actually triggered by recent changes in bundling policies in Federa You probably remember that the bundling was prohibited now it's enabled and I said it's like enabled because There is no rules actually how to how to do it or what rules if there are some rules or no rules because all the references to previous bundling policies were removed so we are a bit in vacuum and That's that's why I choose to talk about this this topic first What the band and bundling actually is so if I if I say bundling you might You might imagine something like this. This is a box. There is something inside There is a lot of a lot of stuff inside and you just see the the the outside outside image Actually, this is not a very very scientific definition So I tried to find out what the bundling actually is because for example in Federa guidelines There is no no mention There is no definition. So I tried to ask very unwebster which is which is Very very, you know very profound source of Definitions so this is like group of things that are fastened tight or wrapped together So this is precisely the description of the of the docs on the previous slide Or it's grouped of things that are together or are associated with each other in some way Okay, so this is what Miriam Webster says Wikipedia Well, no luck. There is actually something about software bundling and bundling software is a group of Software packages which are sold together and sold actually in open source world. This does not work and Actually quite quite interesting definition of bundling has Debian they speak about convenience copies So the precise quote is some software packages included in their distribution convenience copies of code From other software packages generally so that users compiling from source don't have to download multiple packages I quite I have to say I quite like this this definition So Actually, why why why we care about why we care about bundling where why there was some policies about bundling in Federa First of all, this is security Security issue you will see in my later examples that it might cause interesting interesting interesting issues in various various pieces of software and Another question is licensing. I can show actually these points So licensing it's a very very very interesting topic. We will touch it later in during this presentation Code up duplication How to how to actually find what what is In the software in the package itself How to how to distinguish if the software has some patches applied and if it differs from upstream or not and Related is maintainability in general for example, you fix the bugs on one place But there is copy included in some other piece of the software and there is the bug is Not fixed there. Actually, I show you example of this of this later So First of all, this is I will say or you you might think that bundling bundling is bad and I Will show you that it's not that easy with bundling It's it's simple to set like don't bundle unbundle because you will save save your issues or save your problems, but that's not entirely true and Actually in reality You see that people bundles everywhere. So question for you Do you bundle or do you don't bundle or what is what is your opinion? Okay, at least one guy does not bundle nice Okay So now Let's look on some some examples. I met in the past and I try to discuss what what was the story about the bundling how it is started Maybe how it how did and it so as first Let's talk about passenger Is here anybody who knows what passenger is? Yeah passenger is actually it's Originally it was module a patchy module for Serving Ruby on rails application today. It's it's Even standalone web server and so on the project evolved in In a in these three years of its existence. So Yep So what was the issue with the passenger there are several issues license and so on but it was Resolved quite quite quite fast, but The biggest issue was bundled copy of boost by the problem Because it's security concern as I said, it's it's basically web web server or Or a web server module. So You You may attack it you the computer might be attacked remote and for example, there might be Dean Daniel of service so your application won't run if if there might be some issue in in bundle and Actually, why they they bundled boost because they made some so-called highly unique specific modifications and Actually Date They did it for of course for performance reasons because a patchy Or passenger is is Linux platform. So they they did their modification to improve performance and to To give Higher satisfaction to to their users so But what was the problem or They actually What was the problem for for our users for federal users? The problem was that it took four years to to pass the review and although there was bundled Boost at the beginning is still bundled there so the only difference is that there was a lot of discussion long talk if if it can be Upstream and so and so on actually part of the code as far as I remember they're upstream So they are part they are now really integrated in boost. So this was a good output of the discussion, but at the end FPC granted bundling exception and we still have passenger with bundled bundled to boost I Don't I can see on the closure here But I guess that the situation is not better these days because They include part of engine X and and so on so, yeah, but but to have Ruby on rails or Ruby on rails application and Don't have passenger on our system. This is this is big fail for for Fedora. So yep Actually the the exception was good good solution for for our users at the end So next topic next next next package bundler it's a Quite Pre-sized name for this for this presentation actually bundler initially Was called this way because it allows you to bundle Packages your applications are using to into your application. So you can easily distribute it on for example on your or on your web server but Unfortunately, unfortunately also bundler bundles some software inside It started the actually the first version of bundler. We had in Fedora was one on nine and at that time bundler bundled tour tour is library which is used for a command line interface and Actually at that time it was quite easy to unbundled tour because the bundler was trying to To load to the system instance of tour once it found it it just use it So it was like just enough to remove this library from from bundler and everything worked or at least it seemed it seemed to work in version 1 1 4 they this was actually We are not updating this package for every every release in Fedora So the next version they may might be some some versions in between But the next interesting version was version 1 1 4 which introduced another another bundling library this time It was net HTTP persistent Big and this is this is actually used for persistent connections So you can reuse the connection and it improves the performance of downloading packages and communication with server So this was also easy to unbundle at that at that time. It was just Remove the package and that was it. However In version 1 7 4 it's it started to be be problematic we had to we had to add explicitly dependencies on tour and net HTTP persistent into bundler because they dropped there and We had to provide sim links from from tour and net HTTP persistent to their original place to keep bundler working because Bundler guys, they changed the way how the libraries were loaded and it was They they didn't try anymore to load the system versions of of libraries And There was big gap Big gap between next version because somewhere in version 1 9 they again changed the way how they bundle and They actually introduced another another Dependency this time it's more in a lot. They it's extra. They extracted their dependency resolver or they built new dependency resolver and Introduced this new dependency. What was the biggest hurdle that? Together with introduction of more of more than a lot. They they started to modify the bundled versions of libraries So all three bundled versions of libraries are not possible to remove anymore Actually, the the code is 100% the same the only change in the code is introduction of namespaces and the thing is that upstream had quite good reason to namespace these These libraries because they had collisions. They had collisions with different versions of Tor which might be on your system and they were not Compatible it might happen that different version was loaded pre Pre or the bundled version and so on and it resulted in incompatibilities and crashes unexpected and so on so Bundler itself is packaging Packaging maintainer and loader for for libraries So they are on pretty thin eyes and they have to be always they have to be always careful what they are loading and I can understand why they they namespaced The libraries and from my point of view it was good solution I just wanted to demonstrate what was the evolution at the beginning was just just a bundle of some libraries It was quite easy to remove them at the end There is no way how to I can't see I personally can't see way how to remove this this bundling and I agree with With upstream that they have reasons other possibility for them would be to reimplement the libraries, which is This is probably bad solution as well So I already mentioned millennial millennial as I said is generic dependency Resolution implementation. Well What is problem that I don't understand why then did not use for example something as a lip-solve, but that's not up to me it's bundled now in bundler and What's the problem? It's also bundled in Ruby gems and since it's bundled in Ruby gems. It's also bundled in Ruby so Why it's actually bundled in Ruby gems The thing is that Ruby gems had their historically they had their own resolver Now they said, oh, it would be nice. This is if bundler is using the same resolver as Ruby gems So they start they they they bring Molini loin and since Ruby gem is again it's crucial piece of the software which which is responsible for for loading of libraries and so on and it's hard for such Such a library to have some external dependencies. They said, okay So we will bundle more in a lot and we will change the namespaces again so now we have more in a lot in Ruby gems and I actually try to convince them that ah There that these libraries are collaborative collaborating So maybe the Ruby gems version could be just the only version and bundler since it depends on Ruby gems could use the Ruby gems version of Malin alone Malin illo and they said, hmm. I'm sorry like we cannot unbundle this because of backward compatibility because bundler is supposed to use Various versions of Ruby gems and not only the latest version. So we cannot unbundle and I Was not able to convince them to give the put there at least some condition like we are working with the latest Version of Ruby gem. So we'll use the use the Ruby gems version So yeah, it's it's some hard some sound times. It's it's hard decision for me and for upstream as well Here is actually example Just you can trust me What I said about the differences you see just this is this is this is the part of one Just one part of the code and you can see it's a one hundred percent the same except the namespace Which is different. You can see Gemry Silver and there is no namespace and Actually, if you if you read carefully I lying to you because there is this this line and I mentioned before that the maintenance and fixes in code might be problematic and This is this is precisely example of of the maintenance issue because somebody because Ruby 2.3 introduced this this nice pragma frozen string literal and you can use it to change behavior of strings and Somebody came. Oh, this is good feature. So let's change all the Ruby gems files to include this this directive and and This pull request was accepted. So now this change is in the Ruby gems, but actually it's not in the upstream so I Can see that in the future they will release a new version of more in a law and This this line will once again disappear from from Ruby gems Well, but maybe maybe I'm wrong and they have better Better workflow than than I they are than I think Okay So let's move forward Now interesting interesting things is something which is called copilip This is actually definition coming from Fedora Bundling or unbundling guidelines, which are now well, they don't exist anymore But in the old version of these guidelines, there was this definition Definition of copilip is somewhat amorphous It is basic at its basic level the upstream for the library intents for you to copy the source code of the library Into your program modify it to suite your needs and then release your software with continuous Fort modifications to that source So well, that's definition. Let's let's look on some examples The first example of copilip I met was okay Jason Now it's quite simple Jason parser and it has no dependencies and What upstream says is this is intended intended to be rendered. It's not jam Instead copy. Okay, Jason to your to your project and require it directly. It's small. It's small so You can you can use it by by default instant of bloated Jason parsers and the only thing you have to do or you should do is to modify the namespace again What was interesting with with With the upstream was for example discussions about versioning and so on because Finally FPC granted exception to okay Jason as a as a copilip but there is quite Interesting remark of FPC the okay Jason is software has rocked amply being granted and bundling exception Yeah, so well the issue with versions I mentioned is that once you unbundle Copilip you shoot and you should have virtual provide which says bundled Okay, Jason and there should be version And actually for upstream it was quite okay that yeah, we are using it So we are we don't need versions because well in get you have hashes and you can look at the gate lock and and you see that What was released when and so on well actually this provides should be versioned in Fedora So I had to come to upstream ask them. Okay. If if this is copilip. Could you please add there some versions? It it took some time to convince them they added the version but later They forgot about it and they did new modifications new releases with without changes or version and so on so these are these are like complications or issues you are facing as a somebody who wants to Good to do Good packaging job So Yeah, actually this was another another remark which is quite which was still in the bundling In the bundling guidelines like yeah the federal packaging committee has generally referring of this case for this behavior So this is like from my point of view. This is sending bad message to upstreams like speaking About upstream like this way. I won't I wouldn't like to be mentioned on Fedora page with this remark So next thing next thing. It's actually also Case of copilips. Have you ever heard about see Ken? anybody better yeah, okay, so at least somebody so It's like if you probably know see pen See pen. Yes, see pen Peter is here. So and some pearls pearl guys are here. So they they were about it. This is something to be like see pen for see and actually It's just collection of snippets libraries. This is just a Few random examples of actually this is quite quite use useful routines you there is a You a lot of times Reimplement is this this list and so on there are specific hashing algorithms Which you don't need to re-implement actually from my point of view. It's quite quite quite good if you can take this proven code and use it in your In your software. So for example for see Ken there is There is granted exception, but just for not general exception, but just some parts of the sequence specific specific libraries How it looks in real life Actually, for example in Ruby is is bundled this this piece of code and this is just small part of the Actually, this is full full code which is in Ruby, but this is just small part of the original library so although This is something like Packager and so on it's quite hard to find the these pieces of code in in your code so I Asked actually this this string Snippet was not approved yet. So I ask FPC for for bundling exception and the response was Given it's just these two small macros. I don't even think it classifies as bundling roughly 666 C project have implemented those two macros in that exact way. There's there isn't another way to do it so actually It's it was quite strange on one hand you should ask for exceptions on the other hand It's waved like this like you are asking and you don't need the exception on the other hand I must say it was it was quite reasonable answer because yeah It's just really two lines and there is no Nothing, especially you can do it probably different different way Okay, and our interesting example of bundling netlip Anybody anybody heard about netlip? It's actually something like he's sick and it's probably older and maybe not that Sophisticated so it's a it's again collection of some libraries and To netlip there is some interesting interesting story you see Cve Ruby heap overflow in floating point parsing and in the notes In this for for description for this this issue you can see this is similar to bug Cve to 2009 you see it's like for four years before these two to happens Well, so if I opened the curiously opened the description of the bug what is this 2009? bug about so it's like array indexing error in d2a implementation blah blah blah and It impacts 3b sd several version netb is the open base the Mozilla C monkey came along and so on Wow It's quite a lot of quite a lot of software which is widely widely used and Actually, this this is not not everything Because once this was reported against Ruby it was discovered that there are similar issues in Python my SQL v8 and Well, probably other piece in other places other places in in maybe in your software. I don't know But surprisingly although there's there there is exception for second There is no mention about netlib nowhere in bundling policies or for my bundling policies of Federa and so on Okay, so this was quite Established infrastructure for for sharing your code and now what about snippets? Have you ever used stack overflow? and probably probably everybody of you and Have you ever care? What is the license actually? So well for me I Really don't know for yesterday was the first time I was I was trying to investigate. What is actually the license of the snippets? Yeah, so when once you log in into into Stack overflow you agree that Whatever is published there is published in the under the creative commons as we would share a like But this is Only when you log there as registered user But I guess that majority of use cases like let's ask Google you will get some answer It's by by coincidence of stuff or stuck overflow You get the snippet you place it into your cord and you are happy and go Go forward with coding with your life and and so on so well for me. It's questionable even even though also the creative commons it It's it's just some obligations You must give appropriate credit provide a link to the slice sense and if changes were made If you remix transfer or build upon the material you must distribute your contributors in under the same license as the original Okay, I don't know how how do you feel about it? If you are bound as a non-registered user by this license or not, so this is probably as a question for lawyers Same applies for github yeah, I For stock overflow. There is at least some license for github. They say they don't They don't change any or they don't take any rights from your code and so on and if you if you take some code from Just github.com. I really I really don't know so Yeah, you have to you have to decide you have to ask your lawyers probably Another source might be publications like They might I undergone some More reviews than than just snippets of code on on stock overflow, but well, who knows for example There was interesting issue Ruby hash table collision CPUs each Dinarior of service hash It impacts it degrades hash performance from constant complexity to linear complexity and the thing is that it's used this this hashing algorithm and Surprisingly all these languages and frameworks are using using the same sound all the same algorithm and the thing is that this CV actually this oh This this oh sir sir was reported against all these Frameworks and engines at the same time So it means even though it might be published in some book Publication and so on once you take the code and start to use it you might get in trouble Although well, maybe you you would never write it better. I know I don't know Everything is a header only libraries. It's just it happens for examples specifically for C++ for for the templates and so on that You are using just just headers. There's there is like no code. So so the output of of That the code is generating drink compilation and it's baked in your library. So in this case It's might be It's like case of static libraries. So in federal it might be possible to to find them. There are some rules that you have to You have to Use actually some specific static Static suffix, but it's generally discouraged to use Static linking and and so on but There are again exceptions for for static static libraries and static linking for example, okay OCaml This is what is what is what is in guidelines and we sent Example go Yeah, go is Statically linked by by design and Actually the go packaging guidelines are two years under under review. So is anybody using go? Yeah, okay, so yeah go for example Or docker is written. Oh, so we have go and we have docker in federal and we have no guidelines Well, but it works JavaScript well, they are like The ex bundling exceptions for JavaScript. They're they're evolving and bundling was allowed and they're this is their recent news like bundling is there is temporary exception until jQuery Is packaged properly? from my opinion or from what I know it never happened and It does not Does not really work and except the JavaScript is quite interesting beast anyway, because I know quite a lot of libraries which ships JavaScript, but it's never Executed on your computer or on the server where it might be. It's over over time every time distributed over network. So there are different different things you have to consider like the data data size or Number of requests you you makes against the depth server it index performance another interesting thing documentation There's plenty of frameworks which which includes JavaScript For for documentation for displaying documentation and so on so this is again case for jQuery for example our docking Ruby are Shipping their version of jQuery. It's quite hard It's from my experience it it it might be it will be hard to if somebody will really want to remove this dependency or to replace it by this system version of of jQuery I can't imagine I can't imagine it and of course this is just The generated documentation Can also contain snippets of obsolete code. So if you make Mistake on your or we have security Back in your documentation and you distribute it. Well people will use this documentation and They will they will have again the the Bucks you probably fixed and our thing Generators Probably no bis on rack svick This all generators can't contain bugs You are using them. So you again from my point of view you bundle their code If they make mistake or they introduce some error you have this error in your project well, I spoke about the bundling and I See that bundling we fight about Against bundling so long and the Like the solution the ultimate solution to bundling is nowadays Containers virtual machines software collections and so on this is in my opinion not this this bundling just is in different different Way these technologies has definitely their use cases. I'm not Generally against containers virtual machine or and so on but you should always You should always consider What what do you need and the consequences? so I Presented plenty of life life real life examples and now I've again the question Who is bundling? Maybe have you changed your mind or I'd like to you to consider next time when you Are going to bundle something to really think about the consequences. This is like the main message of this talk and At the end I just want to use again FPC quote Which just describes this this this topic quite good. I'd say it's like Because software engineering is hard I don't know but you can you can take a look at the link and find it out Okay, so thank you. That was it and if you have any questions if you have time for questions. We have two minutes. Oh What do you think is the best example when the bundling really succeed and opposite Yeah, you present many examples Hmm actually, thank you for the question is really good question I cannot say it sucks it But I quite like the bundler example because this was this was evolution I I had the chance to to follow the project and see the evolution like they first It was not bundling. It was not really bundling then just they just ship these two libraries They allowed to they defaulted to the system version, but The project itself learned that it's not possible Because they break the user experience of their users. So they they evolved first. They really had hard dependency on the on the bundled library and at the end they they were forced to change the namespaces and Yeah, I believe like this is good example where the bundling has its place I hate to say this, but I really think they they put a thought in this Hi, it seems like one of the biggest issues with bundling is you lose visibility into what's been bundled Yep, and looking at kind of in Docker images if we're able to know what's gone into the image and we're able to track that So it's bundling, but we know those bundles. Does that mitigate it? Well, I would say You can of course it's like second level of bundling because I I show you a plenty of examples like copylips and so on You already don't know what is in the code and if you if you say, oh, let's take these packages and put this into the Into the container you you know even less about the con content of the container So I don't think that Container is like solution to the bundling. It's just well, it might help in some some spaces But I don't see this generic solution As you see this as a consequence and from my point of view or from point of view of bundling bad consequence Because there are of course there are even different reasons for example for the passenger the Resolution could be like fork the boost and would it be better solution for for for everybody or for anybody? I don't know. I I can't imagine there would be like passenger boost because Who would be the different different user and so on? So I'm sorry. We are out of time and we need to change prepare for next presenter So thank you it for your presentation and feel free to grab him in the hallway and Discuss this really deeply. So thank you again. Thank you. Thank you I So welcome everyone as Rather vocal set if you have three seat on your left or right you are doing it wrong. So please Squeeze into the middle so we can fit as many people as possible into the room