On Tue, Sep 29, 2009 at 3:37 PM, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > On 09/29/2009 11:37 AM, Michel Alexandre Salim wrote: >> Hi, >> >> Oolite <http://oolite.org> is currently undergoing review, and a >> stumbling block is in its use of its own copy of libjs. An upstream >> developer is participating in the review and has a clear explanation >> for the rationale: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=459211 >> >> libjs is not exposed to any network interfaces, so the risk is >> probably quite low -- the alternative is to wait until xulrunner 2.0 >> is released (the previous stable version has problems in its scripting >> mechanism and most third-party add-ons for Oolite do not work on it >> anymore. >> >> Would it be alright in this case to bundle libjs? >> > > I would argue no. The guidelines are written to apply to all libraries > except with very limited exceptions to keep this from happening because > security vulnerabilities are not limited to network facing code, suid > code, or any other class that we've been able to identify. The libz > vulnerability many years ago is the classic example of this. Many > programs were embedding libz, many statically. When a security > vulnerability in libz was discovered, we had to find all of those > programs, remove the vulnerable library, patch any code that didn't work > with the newer version, and rebuild all of those packages. This is not > what you want to do when you are in the time-constrained situation of > putting out a zero day update to the code. > Understandable. I suppose the best way to proceed is to continue the review, but wait on the libjs removal for final approval. > And it's probably premature to go to FESCo with this. Firefox does not > use the system libjs.so. So you should find out if the spidermonkey > maintainer is willing to compile with JS_C_STRINGS_ARE_UTF8. At present > the only depending package I see is mediatomb so this might be the best > option. Good point; I'll contact both maintainers. > > Also note, it sounds like Oolite is updating to js-1.80 -- that's > currently at rc1, not an actual release. You'll need to work with the > js maintainer and make sure that that is okay as well. > Worse come to worse, we can stay at the last version that support js-1.70, and probably ask the js maintainer to update Rawhide to 1.80-pre, now that F-12 branching has occured? Thanks, Toshio and Jon, for the inputs. -- Michel Alexandre Salim -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
