7.7.2017 20.45 "Jason L Tibbitts III" <tibbs@xxxxxxxxxxx> kirjoitti:
I would argue that it doesn't remove the ability, but that it does make
it more difficult to do in an automated fashion. Basically you can see
that something has a bundled library but then you need to do manual
inspection to go further.
I think the versioning isn't worth much at all.
If the bundled version corresponds to an upstream release to an extent that it can be called that version, and checks like the discussed one could be skipped just by looking at the version label, then it must be practically the same. So why is it bundled in the first place?
On the other hand if there is a "good" reason it is bundled, that reason quite probably is that it is a modified version. So it's different than the upstream one, and thus knowledge whether an upstream release is vulnerable or not cannot be just assumed based on the version label a packager has attached to it. It needs to be checked anyway.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
