On Tue, 2009-12-29 at 14:41 +0100, Ralf Corsepius wrote: > On 12/29/2009 11:52 AM, Daniel Drake wrote: > > OLPC has previously had a specific version of tomcrypt/tommath > > profesionally audited for security reasons. So we obviously want to > > stick with that version. > > > > A few packages we have in Fedora currently use this frozen, audited > > version - we do so by shipping duplicate copies of that source code > > within the individual packages, rather than linking against the dynamic > > systemwide equivalents. <snip> > > Or am I going too far against common packaging practice at this point? > Yes. You are outsmarting yourselves and not doing good to other users of > the libraries, IMO. I think the argument could go both ways. In the case of OLPC, they're providing Open Source pieces that are similar to things like the TPM technologies in other systems. If a certain major PC chip manufacturer decided to release all of the design and code schematics for their TPM chips, the community would probably praise them...and then wonder what the potential could be for a bad library release to undermine them. > If all users of the library were using the same, identical shared > versions, everybody would benefit from your "auditing", maintainers > would benefit from "issues being fixed" at one place, users would > benefit from you not shipping statically linked packages. One presumes that such auditing is expensive, lengthy, and not often to be repeated. Committing to undertaking a full code audit on every update would seem to be a little unreasonable of a request. So I think it's obvious that if they want to use an audited version, there will have to be a separate audited version. Jon. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
