On Mon, Jul 22, 2013 at 12:52:29AM +0200, Andrea Pescetti wrote: > On 19/07/2013 Daniel Veillard wrote: > >One of my specific request therew is make sure that they link to the system > >libraries instead of relying on the embedded version used e.g. for > >Windows build. Very specifically make sure libxml2 etc... is not > >provided by static version inside but uses the system one (so we don't > >have to push Apache OpenOffice too if there is a libxml2 security errata !) > > This is a guideline and we will follow it as closely as possible, > but we do still have some incompatibilities (meaning that OpenOffice > needs specially patched versions of some dependencies, or older > versions of libraries) which means that we won't be able to solve > the problem completely (well, patches welcome). > > As for the security errata, I understand the technical point and I > agree with it, but in practice I wouldn't be too much concerned > about it. OpenOffice released only one out-of-cycle security update > in the last two years, and only three new versions in the same > timeframe. While the release cycle is expected to become shorter, > OpenOffice is still very far from releasing too often. Being the guy who handle the security errata for libxml2, I know that we avoided pushing openoffice a number of time in the past because our packagers and devels spent an awful lot of time removing copies of system libraries out of OpenOffice ! That game lasted over a decade, I don't want a "new" packaging forgetting all that work, just because of simplicity, negligence or "I'm not too worried". Want to put OpenOffice back in, sure, but play by the rules ! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@xxxxxxxxxx | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
