F21 Self Contained Change: Playground repository
jwboyer at fedoraproject.org
Wed Apr 9 00:21:11 UTC 2014
On Tue, Apr 8, 2014 at 4:54 PM, Bruno Wolff III <bruno at wolff.to> wrote:
> On Tue, Apr 08, 2014 at 13:04:54 -0400,
> Stephen Gallagher <sgallagh at redhat.com> wrote:
>> Similarly, there are a great many useful Ruby libraries and
>> applications out there for which unbundling them would be an exercise
>> in futility. Ask yourself which is more important to most users:
>> 1) My OS is perfectly maintainable by engineers.
>> 2) My OS lets me install the software I need without hassle.
> This can result in more work when there are security events. One thing I was
> happy about with Fedora is that by updating openssl and restarting services
> I am pretty sure I have blocked that attack. Who is going to do the work
> searching for bundled libraries when similar events occur in the future?
Who is doing that work within Fedora today? After the initial review,
there is no on-going audit of packages _within_ Fedora to make sure
they aren't bundling (or following guidelines at all). That's not to
say that we have a massive problem. It _is_ implying that maybe one
shouldn't blindly trust the guidelines to catch all of the potential
More information about the devel