On 5 October 2015 at 05:09, Dave Love <d.love@xxxxxxxxxxxxxxx> wrote: > Tom Hughes <tom@xxxxxxxxxx> writes: > >> Recently I even saw a case of a header only C++ library bundling >> another C++ head library which raises slightly metaphysical questions >> since dependants of a header only library need to be rebuilt when it >> changes anyway if they are to pickup security fixes. Strictly speaking >> that's even true of a more traditional library if the security fix >> happens to be in a header, but I wonder how well we pick up such >> things and propagate them? > > I don't think that's uncommon in applications I see. I've been puzzled > throughout why using things like Boost isn't counted and why this only > seems to be about security, from what people have been saying. > > A header-only, or header-mainly, library seems quite likely to affect > security-sensitive programs. On the other hand, the sort of (likely > modified or version-specific) libraries for building the scientific > programs I'm interested in seem to be problematical on the same level as > things affecting potentially security-sensitive system programs. > I believe people are mostly dealing with security because it is the side that has the most real world effects and is the hammer which usually gets people to do something after they ignored it when all the other arguments have been made. Because in this networked world everything becomes security sensitive because a hacker doesn't need to be root to do a lot of things. Hackers have used HPC computers for bitcoin mining because a grid app had an overflow which allowed them to run apps as a general user. They have set up spam farms for similar things. Another just decided to a lark to change data in a database to see if anyone noticed. All of which has interfered with research (and affected at least a couple of Phd's graduation times.) Most of those break-ins happened because of applications which were considered non-security related and usually via a bundled pile of PHP or java. > I am all in favour of unbundling as much from such packages as > reasonably practical, from an engineering and system management point of > view, and have done it. I'm just puzzled by some of the rationale in > the discussion. > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- Stephen J Smoogen. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
