[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: status of forked zlibs in rsync and zsync



On 09/16/2009 12:42 AM, Tomas Mraz wrote:
> On Tue, 2009-09-15 at 14:01 -0700, Toshio Kuratomi wrote:
>> On 09/15/2009 01:29 PM, Simo Sorce wrote:
> 
>>> Sorry but the packager may have no way to influence upstream.
>>> And to be honest having a huge patch against rsync and/or zsync to
>>> extract a library against the will of the rsync and/or zsync upstream is
>>> contrary to fedora policy as (AFAIK).
>>>
>> You bring up several good thoughts here:
>>
>> 1) We have two conflicting policies.  Stick with upstream and do not
>> have private copies of system libraries.  Since the latter is in place
>> for security reasons and  maintainability while the former is only for
>> maintainability, I'd place more value on it.
> 
> I don't think the security reasons here are so much more important. If
> the proliferation of bundled libraries is very strictly controlled (for
> example by the need to get a FESCO exception) and the security response
> team is always notified when a new such bundle is added to the
> distribution the security updates can be handled without the delays you
> described. A new vulnerability on the library would always trigger
> immediate updates in the library and in all the bundled copies of the
> library. Of course it is an additional burden on the security response
> team but as I said above in well discussed and reasoned exceptions it
> does not seem to me as huge problem as you paint it. I would also think
> that the security response team already maintains such list for existing
> bundled libraries.

You are incorrect about what the security response team currently does.
 If you would like to spearhead adding this responsibility to the
security response team's duties and go about creating a list of programs
that bundle libraries and the criteria for and presenting the plan to
FESCo and the Packaging Committee then we would have a way to judge
whether we should change the Guidelines because of a mitigating factor.
 If you just want to say, this is how it should be but no one is
actually willing to do the work of making things work that way, then I
will continue to say that we have a large security problem wrt bundled
libraries.

Also, I will note that FESCo has already reviewed the zsync/rsync
inclusion and decided that the bundled zlib needs to be split out or
removed entirely.  So your idea of using FESCo exceptions to control
which applications are allowed to be bundled needs to also include some
criteria.

-Toshio

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]