[Bug 481536] Review Request: enano - Enano CMS, a php-based modular content management system
bugzilla at redhat.com
bugzilla at redhat.com
Fri May 29 19:39:15 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=481536
--- Comment #16 from Toshio Ernie Kuratomi <a.badger at gmail.com> 2009-05-29 15:39:13 EDT ---
What I'm communicating is that sanitising user input is only one part of
security and it doesn't form a complete argument for why bundling libraries
would be okay. If you didn't bundle your libraries, you'd still pass the data
through the Enano preprocessor before handing off to the third party libraries,
right? So there's no security advantage to bundling. But the security
advantage to unbundled libraries is that if there's a security flaw in an
unbundled library, we can address that by updating a single package. If
there's a security flaw and enano, drupal, phpnuke, and wordpress all have that
library bundled, then we have to find that the library exists in each of those
packages, backport the fix to each of the versions each of those apps is
bundling, make it work with the local modifications that you may have applied,
rebuild all of those packages, and release new versions of all of those
packages with a security announcement for each of those packages which our
users then have to download and install on their machines.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the package-review
mailing list