On 02/13/2015 10:56 AM, Petr Spacek wrote:
Modified version of Zbyszek's idea with time constraints follows:
1) Accept the new package into Fedora N even with bundled libraries.
I am inclined to be Fedora needs to encounter a serious vulnerability
originating from bundling, such that you guys comprehend, why bundling
is utterly stupid ;)
For those who don't know what I am talking about:
Many years ago (IIRC, ~1999), nobody cared about static linkage or
bundling. At this time, it was common to statically link and/or bundle
libraries.
Then a critically vulnerability was found in libz affecting all Linux
distros. Nobody knew which packages all bundled and/or statically linked
against different versions of libz. It took months for all Linux
distributions to identify their vulnerable packages, to find solutions
and to release security-fixes.
Meanwhile, we've had much more critical vulnerablities in widely used
libs (Remember heartbleed), which all have been quite easy to fix
packaging-wise. IMO, to a great portion, thanks to having mostly banned
static linkage and bundling.
Ralf
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
