[Bug 457343] Review Request: jquery - Fast, concise library that simplifies how you use javascript

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=457343

--- Comment #13 from Toshio Ernie Kuratomi <a.badger@xxxxxxxxx> 2011-08-31 17:26:45 EDT ---
(In reply to comment #11)

> IMHO, comparing a javascript "library" to a .so is simply wrong to begin with,
> and bundling here should be allowed. The only thing to make sure is that
> security issues can be identified ASAP; which involves making it easy to
> identify every .srpm that bundles a specific jquery version.

Simply identifying is not enough.  We must also be able to fix and to deploy
the fix.  Treating the javascript library the same as an .so makes that whole
chain the easiest.  However, I've already stated that I don't think we can
manage that at the moment and proposed treating javascript libraries as static
libraries (.a) as a better compromise.  Treating as a .a allows identifying
because you can query the buildrequires of packages to determine what packages
have linked to jquery.  It makes fixing slightly easier because you can know
that the jquery shipped with an app previously does not have local, app-only
modifications.  It does not go further to protect us from having to port a lot
of packages to newer APIs at crunch time (in the days or hours before a
vulnerability is publically announced), having to rebuild all affected
packages, or allow us to deploy a single, fixed version of the library package
instead of having to distribute the fixed library and all of the applications
that have been rebuilt with the fixed version.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
package-review mailing list
package-review@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/package-review


[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]