On 09-09-29 15:37:10, Toshio Kuratomi wrote: > I would argue no. The guidelines are written to apply to all > libraries except with very limited exceptions to keep this from > happening because security vulnerabilities are not limited to network > facing code, suid code, or any other class that we've been able to > identify. The libz vulnerability many years ago is the classic > example of this. Many programs were embedding libz, many statically. > When a security vulnerability in libz was discovered, we had to find > all of those programs, remove the vulnerable library, patch any code > that didn't work with the newer version, and rebuild all of those > packages. This is not what you want to do when you are in the time- > constrained situation of putting out a zero day update to the code. ... If the number of exceptional packages is kept small, and the exeptions were to Provide "private_libfoo" (for each "foo" lib), then would it be manageable enough? At least it would be easy to find the broken packages, though they would still need to be fixed. -- ____________________________________________________________________ TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx> ' <http://www.georgeanelson.com/> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
