[Proposal] Ring-based Packaging Policies

Florian Weimer fweimer at redhat.com
Fri Feb 13 19:20:50 UTC 2015

On 02/13/2015 04:13 PM, Stephen Gallagher wrote:
> I'd like to point out something that I think you missed in my
> initial email. I'm not saying that anything should be allowed to
> bundle software transparently. The primary problem we faced back in
> '99 was that *we didn't know what was bundling libz*. With an
> enforced virtual Provides: bundled(foo) we can at least get an
> accurate listing of the set of packages that would need to be
> updated in the event of a vulnerability.

I'm not worried so much about detection, but about fixing complicated
vulnerabilities (that is, not your usual C memory safety issue) in
dozens of libraries which have slightly drifted out of sync and may
even have been patched locally, specifically for the purposes of their
bundled application.

I have some people express the notation that they can always switch to
the system library version in case a security vulnerability comes out,
but I doubt that this works in practice (because then there wouldn't
be a reason for bundling).

Florian Weimer / Red Hat Product Security

More information about the devel mailing list