[Fedora-packaging] Exemption for bundling local copy of system library?
Michel Alexandre Salim
michael.silvanus at gmail.com
Tue Sep 29 20:13:11 UTC 2009
On Tue, Sep 29, 2009 at 3:37 PM, Toshio Kuratomi <a.badger at gmail.com> wrote:
> On 09/29/2009 11:37 AM, Michel Alexandre Salim wrote:
>> Hi,
>>
>> Oolite <http://oolite.org> is currently undergoing review, and a
>> stumbling block is in its use of its own copy of libjs. An upstream
>> developer is participating in the review and has a clear explanation
>> for the rationale:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=459211
>>
>> libjs is not exposed to any network interfaces, so the risk is
>> probably quite low -- the alternative is to wait until xulrunner 2.0
>> is released (the previous stable version has problems in its scripting
>> mechanism and most third-party add-ons for Oolite do not work on it
>> anymore.
>>
>> Would it be alright in this case to bundle libjs?
>>
>
> I would argue no. The guidelines are written to apply to all libraries
> except with very limited exceptions to keep this from happening because
> security vulnerabilities are not limited to network facing code, suid
> code, or any other class that we've been able to identify. The libz
> vulnerability many years ago is the classic example of this. Many
> programs were embedding libz, many statically. When a security
> vulnerability in libz was discovered, we had to find all of those
> programs, remove the vulnerable library, patch any code that didn't work
> with the newer version, and rebuild all of those packages. This is not
> what you want to do when you are in the time-constrained situation of
> putting out a zero day update to the code.
>
Understandable. I suppose the best way to proceed is to continue the
review, but wait on the libjs removal for final approval.
> And it's probably premature to go to FESCo with this. Firefox does not
> use the system libjs.so. So you should find out if the spidermonkey
> maintainer is willing to compile with JS_C_STRINGS_ARE_UTF8. At present
> the only depending package I see is mediatomb so this might be the best
> option.
Good point; I'll contact both maintainers.
>
> Also note, it sounds like Oolite is updating to js-1.80 -- that's
> currently at rc1, not an actual release. You'll need to work with the
> js maintainer and make sure that that is okay as well.
>
Worse come to worse, we can stay at the last version that support
js-1.70, and probably ask the js maintainer to update Rawhide to
1.80-pre, now that F-12 branching has occured?
Thanks, Toshio and Jon, for the inputs.
--
Michel Alexandre Salim
More information about the Fedora-packaging
mailing list