[Fedora-packaging] Exemption for bundling local copy of system library?
Tony Nelson
tonynelson at georgeanelson.com
Tue Sep 29 23:01:42 UTC 2009
On 09-09-29 15:37:10, Toshio Kuratomi wrote:
> I would argue no. The guidelines are written to apply to all
> libraries except with very limited exceptions to keep this from
> happening because security vulnerabilities are not limited to network
> facing code, suid code, or any other class that we've been able to
> identify. The libz vulnerability many years ago is the classic
> example of this. Many programs were embedding libz, many statically.
> When a security vulnerability in libz was discovered, we had to find
> all of those programs, remove the vulnerable library, patch any code
> that didn't work with the newer version, and rebuild all of those
> packages. This is not what you want to do when you are in the time-
> constrained situation of putting out a zero day update to the code.
...
If the number of exceptional packages is kept small, and the exeptions
were to Provide "private_libfoo" (for each "foo" lib), then would it
be manageable enough? At least it would be easy to find the broken
packages, though they would still need to be fixed.
--
____________________________________________________________________
TonyN.:' <mailto:tonynelson at georgeanelson.com>
' <http://www.georgeanelson.com/>
More information about the devel
mailing list