F20 Self Contained Change: Apache OpenOffice
Daniel Veillard
veillard at redhat.com
Mon Jul 22 04:57:13 UTC 2013
On Mon, Jul 22, 2013 at 12:52:29AM +0200, Andrea Pescetti wrote:
> On 19/07/2013 Daniel Veillard wrote:
> >One of my specific request therew is make sure that they link to the system
> >libraries instead of relying on the embedded version used e.g. for
> >Windows build. Very specifically make sure libxml2 etc... is not
> >provided by static version inside but uses the system one (so we don't
> >have to push Apache OpenOffice too if there is a libxml2 security errata !)
>
> This is a guideline and we will follow it as closely as possible,
> but we do still have some incompatibilities (meaning that OpenOffice
> needs specially patched versions of some dependencies, or older
> versions of libraries) which means that we won't be able to solve
> the problem completely (well, patches welcome).
>
> As for the security errata, I understand the technical point and I
> agree with it, but in practice I wouldn't be too much concerned
> about it. OpenOffice released only one out-of-cycle security update
> in the last two years, and only three new versions in the same
> timeframe. While the release cycle is expected to become shorter,
> OpenOffice is still very far from releasing too often.
Being the guy who handle the security errata for libxml2, I
know that we avoided pushing openoffice a number of time in the past
because our packagers and devels spent an awful lot of time removing
copies of system libraries out of OpenOffice ! That game lasted over
a decade, I don't want a "new" packaging forgetting all that work, just
because of simplicity, negligence or "I'm not too worried".
Want to put OpenOffice back in, sure, but play by the rules !
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard at redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the devel
mailing list