Tom Hughes <tom@xxxxxxxxxx> writes: > Recently I even saw a case of a header only C++ library bundling > another C++ head library which raises slightly metaphysical questions > since dependants of a header only library need to be rebuilt when it > changes anyway if they are to pickup security fixes. Strictly speaking > that's even true of a more traditional library if the security fix > happens to be in a header, but I wonder how well we pick up such > things and propagate them? I don't think that's uncommon in applications I see. I've been puzzled throughout why using things like Boost isn't counted and why this only seems to be about security, from what people have been saying. A header-only, or header-mainly, library seems quite likely to affect security-sensitive programs. On the other hand, the sort of (likely modified or version-specific) libraries for building the scientific programs I'm interested in seem to be problematical on the same level as things affecting potentially security-sensitive system programs. I am all in favour of unbundling as much from such packages as reasonably practical, from an engineering and system management point of view, and have done it. I'm just puzzled by some of the rationale in the discussion. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
