PR #541 committed a large amount of Windows binary dependencies directly into the source tree, rather than pulling them via vcpkg as the rest of the project already does.
Sizes (as checked in)
| Directory |
Size |
Notes |
client_generic/socket.io-client-cpp/lib/ |
219 MB |
Debug + Release static libs, Win32 and x64 |
client_generic/ffmpeg/win32/ffmpeg-6.1.1-93/ |
117 MB |
bin/*.dll (avdevice-60.dll, etc.) and lib/* |
client_generic/openssl-1.0.2k/windows/ |
62 MB |
lib/msvc/x64/* |
client_generic/boost/win32/lib/ |
23 MB |
libboost_*-vc143-mt-s{,gd}-x64-1_83.lib (~40 files) |
client_generic/curl/lib/{debug,release}-ssl-zlib/ |
14 MB |
|
| Total |
~440 MB |
|
These are referenced from client_generic/MSVC/electricsheep.vcxproj as include/lib search paths.
Why this is bad
- vcpkg is already the project's declared dependency manager.
vcpkg.json and vcpkg/ are used by the macOS build. There's no reason Windows can't use the same mechanism — vcpkg supports MSVC + clang-cl natively, and all five of these libraries are already in the vcpkg registry (boost-*, ffmpeg, openssl, curl, socket.io-client-cpp).
- Repo bloat. ~440 MB of binary blobs in git history is expensive to clone, slow for CI, and impossible to garbage-collect once committed without history rewrites.
- Ancient versions.
openssl-1.0.2k (2017, EOL'd in 2019) and a pinned ffmpeg-6.1.1-93 are stuck at whatever snapshot was vendored, with no upgrade path. openssl 1.0.2 in particular has known unpatched CVEs.
- Unreproducible. There's no way to regenerate these
.lib files from source — we'd have to trust whatever machine built them originally.
- Mixed with project sources.
boost/win32/, ffmpeg/win32/, curl/lib/, openssl-1.0.2k/ and socket.io-client-cpp/lib/ sit alongside first-party source directories, making it harder to see where the project's own code ends.
Proposed fix
- Add the missing ports to
vcpkg.json (boost-* subset, ffmpeg[core features], openssl, curl, socket.io-client-cpp).
- Update
electricsheep.vcxproj to consume vcpkg include/lib paths instead of the hardcoded client_generic\*\win32\* paths.
git rm -r the five vendored directories.
- Verify the Windows build still works end-to-end.
This is a larger change — splitting into one issue so it can be scoped/owned separately from the smaller cleanup items (lua5.1-old, RuntimeMSVC).
PR #541 committed a large amount of Windows binary dependencies directly into the source tree, rather than pulling them via
vcpkgas the rest of the project already does.Sizes (as checked in)
client_generic/socket.io-client-cpp/lib/client_generic/ffmpeg/win32/ffmpeg-6.1.1-93/bin/*.dll(avdevice-60.dll, etc.) andlib/*client_generic/openssl-1.0.2k/windows/lib/msvc/x64/*client_generic/boost/win32/lib/libboost_*-vc143-mt-s{,gd}-x64-1_83.lib(~40 files)client_generic/curl/lib/{debug,release}-ssl-zlib/These are referenced from
client_generic/MSVC/electricsheep.vcxprojas include/lib search paths.Why this is bad
vcpkg.jsonandvcpkg/are used by the macOS build. There's no reason Windows can't use the same mechanism — vcpkg supports MSVC + clang-cl natively, and all five of these libraries are already in the vcpkg registry (boost-*,ffmpeg,openssl,curl,socket.io-client-cpp).openssl-1.0.2k(2017, EOL'd in 2019) and a pinnedffmpeg-6.1.1-93are stuck at whatever snapshot was vendored, with no upgrade path.openssl 1.0.2in particular has known unpatched CVEs..libfiles from source — we'd have to trust whatever machine built them originally.boost/win32/,ffmpeg/win32/,curl/lib/,openssl-1.0.2k/andsocket.io-client-cpp/lib/sit alongside first-party source directories, making it harder to see where the project's own code ends.Proposed fix
vcpkg.json(boost-*subset,ffmpeg[core features],openssl,curl,socket.io-client-cpp).electricsheep.vcxprojto consumevcpkginclude/lib paths instead of the hardcodedclient_generic\*\win32\*paths.git rm -rthe five vendored directories.This is a larger change — splitting into one issue so it can be scoped/owned separately from the smaller cleanup items (lua5.1-old, RuntimeMSVC).