Re: [PATCHv3 03/13] Switch from yajl to Jansson

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, May 15, 2018 at 03:23:17PM +0200, Peter Krempa wrote:
> On Tue, May 15, 2018 at 14:21:07 +0100, Daniel Berrange wrote:
> > On Tue, May 15, 2018 at 03:05:55PM +0200, Peter Krempa wrote:
> > > On Fri, May 11, 2018 at 14:59:04 +0200, Ján Tomko wrote:
> > > > Yajl has not seen much activity upstream recently.
> > > 
> > > [0]
> > 
> > [snip]
> > > [0] For anyone following current meme trends, this looks like it's
> > > relevant to our YAJL->janson switch:
> > > 
> > > https://i.redditmedia.com/J46fZN24lFx3fMRlJNpkNEOFqU79zWTsRDBMla1u0HE.jpg?s=4757d31d1cbd758962407917e0d3aacb
> > 
> > If you think we should stay with YAJL because it "just works" then
> > take a look at the bug reports against it upstream
> > 
> >   https://github.com/lloyd/yajl/issues
> > 
> > double frees, memory leaks, parser gets stuck after parsing bad JSON, etc
> > all ignored for years.  The robustness of the JSON parser we use is
> > critical to the security of the libvirt QEMU driver.  I'm not saying
> > janson is perfect, but it is at least maintained, so when problem in
> > it as discovered, there's a real possibility to get them fixed, instead
> > of ignored with the YAJL abandonware.
> 
> No. I agree with the change, but "having serious flaws" is slightly
> different than "not very active upstream".

I don't think that makes much difference. All non-trivial software has
serious flaws, especially if written in memory-unsafe languages like
C. The only question is whether the flaws have been found yet. Given
that, whether there is an active upstream maintaining it, is a key
factor to decide whether to continue using something. The fact that
we already see significant unfixed flaws just reinforces how important
it is to have an active upstream.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux