On Fri, May 3, 2019 at 8:18 PM Nicolas Mailhot via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Le vendredi 03 mai 2019 à 19:59 +0200, Dridi Boukelmoune a écrit : > > On Fri, May 3, 2019 at 1:45 PM Nicolas Mailhot via devel > > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > Le vendredi 03 mai 2019 à 12:04 +0100, Tomasz Kłoczko a écrit : > > > > On Fri, 3 May 2019 at 11:04, Nicolas Mailhot via devel > > > > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > [..] > > > > > You're assuming the only use is roolback. It's not > > > > > > > > Point taken. Can you shortly describe other use cases? > > > > > > You use apps in one of those languages that static build by > > > default. > > > There is a security alert in one code component. You want to know > > > which > > > packages in your repo/mirror have been build using the broken piece > > > of > > > source code > > > > Last time we disagreed on this topic my opinion was that static > > linking should imply bundled provides: > > > > Provides: bundled(<as usual>) = <crate or module version> > > > > Hopefully something that could be automated for some stacks. > > That makes it stack-specific Bundling in general is very package-specific anyway. > And anyway, the classical compiler attack (compiler that inserts > backdoor while compiling) shows that special-casing some packages for > special tracking does not work, pretty much anything that existed in > the build root need to be tracked because it may be exploited one way > or another, and spead the exploit to everything that used it. I definitely agree with that part, but I have no opinion on where that information should live. Dridi _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
