Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=481536 --- Comment #16 from Toshio Ernie Kuratomi <a.badger@xxxxxxxxx> 2009-05-29 15:39:13 EDT --- What I'm communicating is that sanitising user input is only one part of security and it doesn't form a complete argument for why bundling libraries would be okay. If you didn't bundle your libraries, you'd still pass the data through the Enano preprocessor before handing off to the third party libraries, right? So there's no security advantage to bundling. But the security advantage to unbundled libraries is that if there's a security flaw in an unbundled library, we can address that by updating a single package. If there's a security flaw and enano, drupal, phpnuke, and wordpress all have that library bundled, then we have to find that the library exists in each of those packages, backport the fix to each of the versions each of those apps is bundling, make it work with the local modifications that you may have applied, rebuild all of those packages, and release new versions of all of those packages with a security announcement for each of those packages which our users then have to download and install on their machines. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review