Proposal to reduce anti-bundling requirements

Stephen John Smoogen smooge at
Mon Oct 5 14:48:16 UTC 2015

On 5 October 2015 at 05:09, Dave Love < at> wrote:
> Tom Hughes <tom at> writes:
>> Recently I even saw a case of a header only C++ library bundling
>> another C++ head library which raises slightly metaphysical questions
>> since dependants of a header only library need to be rebuilt when it
>> changes anyway if they are to pickup security fixes. Strictly speaking
>> that's even true of a more traditional library if the security fix
>> happens to be in a header, but I wonder how well we pick up such
>> things and propagate them?
> I don't think that's uncommon in applications I see.  I've been puzzled
> throughout why using things like Boost isn't counted and why this only
> seems to be about security, from what people have been saying.
> A header-only, or header-mainly, library seems quite likely to affect
> security-sensitive programs.  On the other hand, the sort of (likely
> modified or version-specific) libraries for building the scientific
> programs I'm interested in seem to be problematical on the same level as
> things affecting potentially security-sensitive system programs.

I believe people are mostly dealing with security because it is the
side that has the most real world effects and is the hammer which
usually gets people to do something after they ignored it when all the
other arguments have been made. Because in this networked world
everything becomes security sensitive because a hacker doesn't need to
be root to do a lot of things.

Hackers have used HPC computers for bitcoin mining because a grid app
had an overflow which allowed them to run apps as a general user. They
have set up spam farms for similar things. Another just decided to a
lark to change data in a database to see if anyone noticed. All of
which has interfered with research (and affected at least a couple of
Phd's graduation times.)

Most of those break-ins happened because of applications which were
considered non-security related and usually via a bundled pile of PHP
or java.

> I am all in favour of unbundling as much from such packages as
> reasonably practical, from an engineering and system management point of
> view, and have done it.  I'm just puzzled by some of the rationale in
> the discussion.
> --
> devel mailing list
> devel at
> Fedora Code of Conduct:

Stephen J Smoogen.

More information about the devel mailing list