Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=457343 --- Comment #13 from Toshio Ernie Kuratomi <a.badger@xxxxxxxxx> 2011-08-31 17:26:45 EDT --- (In reply to comment #11) > IMHO, comparing a javascript "library" to a .so is simply wrong to begin with, > and bundling here should be allowed. The only thing to make sure is that > security issues can be identified ASAP; which involves making it easy to > identify every .srpm that bundles a specific jquery version. Simply identifying is not enough. We must also be able to fix and to deploy the fix. Treating the javascript library the same as an .so makes that whole chain the easiest. However, I've already stated that I don't think we can manage that at the moment and proposed treating javascript libraries as static libraries (.a) as a better compromise. Treating as a .a allows identifying because you can query the buildrequires of packages to determine what packages have linked to jquery. It makes fixing slightly easier because you can know that the jquery shipped with an app previously does not have local, app-only modifications. It does not go further to protect us from having to port a lot of packages to newer APIs at crunch time (in the days or hours before a vulnerability is publically announced), having to rebuild all affected packages, or allow us to deploy a single, fixed version of the library package instead of having to distribute the fixed library and all of the applications that have been rebuilt with the fixed version. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review