On Thu, Nov 04, 2021 at 10:20:35AM +0000, Zbigniew Jędrzejewski-Szmek wrote:
On Thu, Nov 04, 2021 at 11:12:37AM +0100, Jakub Jelinek wrote:
> On Thu, Nov 04, 2021 at 10:56:04AM +0100, Florian Weimer wrote:
> > >> The general case of any statically linked code. It could be libgcc,
> > >> startup files, the non-shared bits of glibc, static-only libraries,
or
> > >> header-only C++ libraries.
> >
> > > This would be indeed useful, but quite harder to do automagically I
> > > think?
> >
> > It requires some level of toolchain support, in compilers and linkers.
> >
> > It's unlikely that this would use a JSON-based approach, though. I
> > think what we want in the linker for this is that it de-duplicates and
> > merges individual artifact identifiers, so that one ends up with a
> > single string "glibc-2.34-7.fc35" instead of multiple copies of it.
But
> > I can't see us implementing JSON processing in the linker (all four of
> > them).
>
> I think JSON is a bad idea for the notes in this proposal either, it really
> wastes memory per process and so should be encoded in some binary form in as
> few bytes as possible, or perhaps at least compressed JSON.
We checked compression, and it just isn't worth it. When you compress
100–200 bytes, the output might be a tiny bit smaller, but then the
compression alg header is added it becomes a wash. And we lose an important
properties of simplicity and ability to read this in a text dump without
further processing. It just isn't worth it.
Example:
$ cat /tmp/payload
{"type":"rpm","name":"systemd","version":"249.4-1.fc35","architecture":"x86_64","osCpe":"cpe:/o:fedoraproject:fedora:35"}
$ for c in zstd gzip xz; do $c -k /tmp/payload; done
$ ls -l /tmp/f*
122 /tmp/f
125 /tmp/f.gz
172 /tmp/f.xz
120 /tmp/f.zst
Zbyszek