On 09/16/2009 12:42 AM, Tomas Mraz wrote: > On Tue, 2009-09-15 at 14:01 -0700, Toshio Kuratomi wrote: >> On 09/15/2009 01:29 PM, Simo Sorce wrote: > >>> Sorry but the packager may have no way to influence upstream. >>> And to be honest having a huge patch against rsync and/or zsync to >>> extract a library against the will of the rsync and/or zsync upstream is >>> contrary to fedora policy as (AFAIK). >>> >> You bring up several good thoughts here: >> >> 1) We have two conflicting policies. Stick with upstream and do not >> have private copies of system libraries. Since the latter is in place >> for security reasons and maintainability while the former is only for >> maintainability, I'd place more value on it. > > I don't think the security reasons here are so much more important. If > the proliferation of bundled libraries is very strictly controlled (for > example by the need to get a FESCO exception) and the security response > team is always notified when a new such bundle is added to the > distribution the security updates can be handled without the delays you > described. A new vulnerability on the library would always trigger > immediate updates in the library and in all the bundled copies of the > library. Of course it is an additional burden on the security response > team but as I said above in well discussed and reasoned exceptions it > does not seem to me as huge problem as you paint it. I would also think > that the security response team already maintains such list for existing > bundled libraries. You are incorrect about what the security response team currently does. If you would like to spearhead adding this responsibility to the security response team's duties and go about creating a list of programs that bundle libraries and the criteria for and presenting the plan to FESCo and the Packaging Committee then we would have a way to judge whether we should change the Guidelines because of a mitigating factor. If you just want to say, this is how it should be but no one is actually willing to do the work of making things work that way, then I will continue to say that we have a large security problem wrt bundled libraries. Also, I will note that FESCo has already reviewed the zsync/rsync inclusion and decided that the bundled zlib needs to be split out or removed entirely. So your idea of using FESCo exceptions to control which applications are allowed to be bundled needs to also include some criteria. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
