[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fedora-packaging] Exemption for bundling local copy of system library?



On 09-09-29 15:37:10, Toshio Kuratomi wrote:

> I would argue no.  The guidelines are written to apply to all
> libraries except with very limited exceptions to keep this from 
> happening because security vulnerabilities are not limited to network 
> facing code, suid code, or any other class that we've been able to 
> identify.  The libz vulnerability many years ago is the classic 
> example of this.  Many programs were embedding libz, many statically. 
> When a security vulnerability in libz was discovered, we had to find 
> all of those programs, remove the vulnerable library, patch any code 
> that didn't work with the newer version, and rebuild all of those 
> packages.  This is not what you want to do when you are in the time-
> constrained situation of putting out a zero day update to the code.
 ...

If the number of exceptional packages is kept small, and the exeptions 
were to Provide "private_libfoo" (for each "foo" lib), then would it 
be manageable enough?  At least it would be easy to find the broken 
packages, though they would still need to be fixed.

-- 
____________________________________________________________________
TonyN.:'                       <mailto:tonynelson georgeanelson com>
      '                              <http://www.georgeanelson.com/>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]