On 02/13/2015 04:13 PM, Stephen Gallagher wrote: > I'd like to point out something that I think you missed in my > initial email. I'm not saying that anything should be allowed to > bundle software transparently. The primary problem we faced back in > '99 was that *we didn't know what was bundling libz*. With an > enforced virtual Provides: bundled(foo) we can at least get an > accurate listing of the set of packages that would need to be > updated in the event of a vulnerability. I'm not worried so much about detection, but about fixing complicated vulnerabilities (that is, not your usual C memory safety issue) in dozens of libraries which have slightly drifted out of sync and may even have been patched locally, specifically for the purposes of their bundled application. I have some people express the notation that they can always switch to the system library version in case a security vulnerability comes out, but I doubt that this works in practice (because then there wouldn't be a reason for bundling). -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
