On Tue, Apr 8, 2014 at 4:54 PM, Bruno Wolff III <bruno@xxxxxxxx> wrote: > On Tue, Apr 08, 2014 at 13:04:54 -0400, > Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: >> >> >> Similarly, there are a great many useful Ruby libraries and >> applications out there for which unbundling them would be an exercise >> in futility. Ask yourself which is more important to most users: >> 1) My OS is perfectly maintainable by engineers. >> or >> 2) My OS lets me install the software I need without hassle. > > > This can result in more work when there are security events. One thing I was > happy about with Fedora is that by updating openssl and restarting services > I am pretty sure I have blocked that attack. Who is going to do the work > searching for bundled libraries when similar events occur in the future? Who is doing that work within Fedora today? After the initial review, there is no on-going audit of packages _within_ Fedora to make sure they aren't bundling (or following guidelines at all). That's not to say that we have a massive problem. It _is_ implying that maybe one shouldn't blindly trust the guidelines to catch all of the potential problems though. josh -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
