[Fedora-packaging] Exemption for bundling local copy of system library?

Michel Alexandre Salim michael.silvanus at gmail.com
Tue Sep 29 20:13:11 UTC 2009

On Tue, Sep 29, 2009 at 3:37 PM, Toshio Kuratomi <a.badger at gmail.com> wrote:
> On 09/29/2009 11:37 AM, Michel Alexandre Salim wrote:
>> Hi,
>> Oolite <http://oolite.org> is currently undergoing review, and a
>> stumbling block is in its use of its own copy of libjs. An upstream
>> developer is participating in the review and has a clear explanation
>> for the rationale:
>> https://bugzilla.redhat.com/show_bug.cgi?id=459211
>> libjs is not exposed to any network interfaces, so the risk is
>> probably quite low -- the alternative is to wait until xulrunner 2.0
>> is released (the previous stable version has problems in its scripting
>> mechanism and most third-party add-ons for Oolite do not work on it
>> anymore.
>> Would it be alright in this case to bundle libjs?
> I would argue no.  The guidelines are written to apply to all libraries
> except with very limited exceptions to keep this from happening because
> security vulnerabilities are not limited to network facing code, suid
> code, or any other class that we've been able to identify.  The libz
> vulnerability many years ago is the classic example of this.  Many
> programs were embedding libz, many statically.  When a security
> vulnerability in libz was discovered, we had to find all of those
> programs, remove the vulnerable library, patch any code that didn't work
> with the newer version, and rebuild all of those packages.  This is not
> what you want to do when you are in the time-constrained situation of
> putting out a zero day update to the code.
Understandable. I suppose the best way to proceed is to continue the
review, but wait on the libjs removal for final approval.

> And it's probably premature to go to FESCo with this.  Firefox does not
> use the system libjs.so.  So you should find out if the spidermonkey
> maintainer is willing to compile with JS_C_STRINGS_ARE_UTF8.  At present
> the only depending package I see is mediatomb so this might be the best
> option.
Good point; I'll contact both maintainers.

> Also note, it sounds like Oolite is updating to js-1.80 -- that's
> currently at rc1, not an actual release.  You'll need to work with the
> js maintainer and make sure that that is okay as well.
Worse come to worse, we can stay at the last version that support
js-1.70, and probably ask the js maintainer to update Rawhide to
1.80-pre, now that F-12 branching has occured?

Thanks, Toshio and Jon, for the inputs.

Michel Alexandre Salim

More information about the Fedora-packaging mailing list