[Proposal] Ring-based Packaging Policies
Ralf Corsepius
rc040203 at freenet.de
Fri Feb 13 12:54:59 UTC 2015
On 02/13/2015 10:56 AM, Petr Spacek wrote:
> Modified version of Zbyszek's idea with time constraints follows:
>
> 1) Accept the new package into Fedora N even with bundled libraries.
I am inclined to be Fedora needs to encounter a serious vulnerability
originating from bundling, such that you guys comprehend, why bundling
is utterly stupid ;)
For those who don't know what I am talking about:
Many years ago (IIRC, ~1999), nobody cared about static linkage or
bundling. At this time, it was common to statically link and/or bundle
libraries.
Then a critically vulnerability was found in libz affecting all Linux
distros. Nobody knew which packages all bundled and/or statically linked
against different versions of libz. It took months for all Linux
distributions to identify their vulnerable packages, to find solutions
and to release security-fixes.
Meanwhile, we've had much more critical vulnerablities in widely used
libs (Remember heartbleed), which all have been quite easy to fix
packaging-wise. IMO, to a great portion, thanks to having mostly banned
static linkage and bundling.
Ralf
More information about the devel
mailing list