Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=481536 --- Comment #14 from Toshio Ernie Kuratomi <a.badger@xxxxxxxxx> 2009-05-29 14:33:10 EDT --- For security, that's not really good enough. Sanitising input is necessary whether you bundle your libraries or not. Bundling means that if foo.php v1.1 has an unintended flaw that allows users to access resources they shouldn't (or DOS the server or...) even without injection, and upstream foo fixes that by releasing foo-2.0 we will upgrade the foo package ASAP. But we don't know that enano is carrying an old, insecure foo-1.1 because you didn't notice the security announcement or didn't immediately release a new enano version. System administrators rely on us to keep their software free of security vulnerabilities. Not bundling libraries is one way that we ensure that. For the PHP license: http://www.fsf.org/licensing/licenses/index_html#GPLIncompatibleLicenses -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review