[Bug 457343] Review Request: jquery - Fast, concise library that simplifies how you use javascript
bugzilla at redhat.com
bugzilla at redhat.com
Wed Aug 31 21:26:47 UTC 2011
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=457343
--- Comment #13 from Toshio Ernie Kuratomi <a.badger at gmail.com> 2011-08-31 17:26:45 EDT ---
(In reply to comment #11)
> IMHO, comparing a javascript "library" to a .so is simply wrong to begin with,
> and bundling here should be allowed. The only thing to make sure is that
> security issues can be identified ASAP; which involves making it easy to
> identify every .srpm that bundles a specific jquery version.
Simply identifying is not enough. We must also be able to fix and to deploy
the fix. Treating the javascript library the same as an .so makes that whole
chain the easiest. However, I've already stated that I don't think we can
manage that at the moment and proposed treating javascript libraries as static
libraries (.a) as a better compromise. Treating as a .a allows identifying
because you can query the buildrequires of packages to determine what packages
have linked to jquery. It makes fixing slightly easier because you can know
that the jquery shipped with an app previously does not have local, app-only
modifications. It does not go further to protect us from having to port a lot
of packages to newer APIs at crunch time (in the days or hours before a
vulnerability is publically announced), having to rebuild all affected
packages, or allow us to deploy a single, fixed version of the library package
instead of having to distribute the fixed library and all of the applications
that have been rebuilt with the fixed version.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the package-review
mailing list