Request for review: glpk -AND- shared vs static libs in Extras
Ed Hill
ed at eh3.com
Tue Jul 26 15:29:59 UTC 2005
On Tue, 2005-07-26 at 17:14 +0200, Ralf Corsepius wrote:
>
> In a nutshell: Several years ago, a serious vulnerability had been found
> in libz. Unfortunately, many (most) applications had been statically
> linked against vulnerable libz.a's. Worse, some applications had been
> linked against vulnerable versions of libz.a having been shipped as part
> of the application's sources. At this point, distributors, vendors and
> developers all around the world were facing the problem of identifying
> potentially vulnerable packages, applications and libraries.
Hi Ralf,
OK, that makes a lot more sense. Thank you for the explanation!
So now I'm worried about the amount of effort it will take to patch
things to use shared libs if static libs are "banished" by policy.
Perhaps there is some way that folks can choose between:
1) using only shared libs or
2) *documenting* (in an easily machine-parse-able fashion) the
use of shared libs in all packages so that they can be
automatically re-built when a dependency is updated
I can understand that option (1) is probably more desirable but I
shudder at the amount of work that will have to happen to crusty old
makefiles, etc. to banish static libs from everything in Extras.
Ed
--
Edward H. Hill III, PhD
office: MIT Dept. of EAPS; Rm 54-1424; 77 Massachusetts Ave.
Cambridge, MA 02139-4307
emails: eh3 at mit.edu ed at eh3.com
URLs: http://web.mit.edu/eh3/ http://eh3.com/
phone: 617-253-0098
fax: 617-253-4464
More information about the fedora-extras-list
mailing list