OpenH264 in Fedora

Reindl Harald h.reindl at thelounge.net
Wed Nov 6 15:47:15 UTC 2013 


Am 06.11.2013 16:40, schrieb Alberto Ruiz:
> On Wed, 2013-11-06 at 16:15 +0100, Reindl Harald wrote:
>>> It's only a nightmare because we've steadfastly refused to build the
>>> tools to a) track library bundling inside app-bundles b) automate bundle
>>> rebuilds c) force replacement of bundle contents either by sysadmin
>>> action or by policy.
>>>
>>> Let's not confuse the current state of the world with the world we'd
>>> like to build.
>>
>> if you are doing all the above statet you re-invent the wheel
>> currently existing with the name RPM or DEB.....

and what have the response below to do with "automate bundle rebuilds"
and "force replacement of bundle contents" which was the answer to
"a security nightmare"?

the bundle is a bundle because as RPM it could not use the
system library because it needs specific runtime versions

so they are *not* updated with YUM, if you now start to replace libraries
in bundles with fixed versions you modify the bundle and only god knows
which exact versions are compatible and what versions if "yourlib.so"
are used by different bundles - replace them an you may break them

replace them not and you have a security nightmare
so what is the magic solution for this and how should it be applied?

> Quite the contrary, a bundle should not modify the operating system or
> compromise its integrity, think about it, if a user installs Chrome in
> Fedora today (and if we render the default Firefox experience unusable
> for WebRTC, people will) he gets a new Yum repo in its system without
> any notice...
> 
> If the RPM repo breaks, yum will stop working... (if some repo fails to
> answer yum will quit with an error) so with the current model you are
> encouraging third parties to push for ways to shoot yourself in the
> foot.
> 
> Think about it for a moment, we are encouraging third party apps to mess
> with our entire system just because we don't have any other channel to
> deliver end user applications or third party extensions (codecs,
> fonts, ...) than the system wide channel where all the system critical
> stuff goes to. As I mentioned in another thread, you can deliver those
> bundles as rpms if we wanted, but they have to be scriptless
> (pre/postinstall etc) and they need to live in a different yum reposet
> and rpmdb than the things we consider integral parts of the operating
> system

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131106/ac1dd0b4/attachment.sig>

More information about the devel mailing list