status of forked zlibs in rsync and zsync

Tomas Mraz tmraz at redhat.com
Wed Sep 16 07:42:23 UTC 2009


On Tue, 2009-09-15 at 14:01 -0700, Toshio Kuratomi wrote:
> On 09/15/2009 01:29 PM, Simo Sorce wrote:

> > Sorry but the packager may have no way to influence upstream.
> > And to be honest having a huge patch against rsync and/or zsync to
> > extract a library against the will of the rsync and/or zsync upstream is
> > contrary to fedora policy as (AFAIK).
> > 
> You bring up several good thoughts here:
> 
> 1) We have two conflicting policies.  Stick with upstream and do not
> have private copies of system libraries.  Since the latter is in place
> for security reasons and  maintainability while the former is only for
> maintainability, I'd place more value on it.

I don't think the security reasons here are so much more important. If
the proliferation of bundled libraries is very strictly controlled (for
example by the need to get a FESCO exception) and the security response
team is always notified when a new such bundle is added to the
distribution the security updates can be handled without the delays you
described. A new vulnerability on the library would always trigger
immediate updates in the library and in all the bundled copies of the
library. Of course it is an additional burden on the security response
team but as I said above in well discussed and reasoned exceptions it
does not seem to me as huge problem as you paint it. I would also think
that the security response team already maintains such list for existing
bundled libraries.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb




More information about the devel mailing list