On Tue, 2009-09-15 at 14:01 -0700, Toshio Kuratomi wrote:
> On 09/15/2009 01:29 PM, Simo Sorce wrote:
> > Sorry but the packager may have no way to influence upstream.
> > And to be honest having a huge patch against rsync and/or zsync to
> > extract a library against the will of the rsync and/or zsync upstream is
> > contrary to fedora policy as (AFAIK).
> >
> You bring up several good thoughts here:
>
> 1) We have two conflicting policies. Stick with upstream and do not
> have private copies of system libraries. Since the latter is in place
> for security reasons and maintainability while the former is only for
> maintainability, I'd place more value on it.
I don't think the security reasons here are so much more important. If
the proliferation of bundled libraries is very strictly controlled (for
example by the need to get a FESCO exception) and the security response
team is always notified when a new such bundle is added to the
distribution the security updates can be handled without the delays you
described. A new vulnerability on the library would always trigger
immediate updates in the library and in all the bundled copies of the
library. Of course it is an additional burden on the security response
team but as I said above in well discussed and reasoned exceptions it
does not seem to me as huge problem as you paint it. I would also think
that the security response team already maintains such list for existing
bundled libraries.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
