Le jeu 12/09/2002 à 00:46, Paul Davis a écrit : > Ok, so if I understand you correctly, your claim is that Debian users > never end up with libraries built by a different compiler than the one > on their system? If this was true (I have some doubt that it is), then > that would certainly help things a lot. Its certainly not true of > RedHat, Mandrake and others, who also ship a default C++ compiler > which is also used to build the provided libraries. Users end up > updating a library or a compiler for one reason or another, and things > suddenly get out of sync. Be warned that I'm only talking about the default compiler. A user can install another compiler, but if he types in "gcc", it will still launch the default compiler. > What about those people who decide that wanted gcc 3.0's better > performance on their machine, installed it, switched to it as the > default, never compiled any C++ until one day ... If a user wants to use a different compiler, he should know what he is doing. At first, he will have to rebuild the libraries the software depends on with the new compiler, and I think (though I'm not sure) that the compiler will require libraries built with the same compiler, as the C++ libraries for different compilers have different naming schemes. > as for security issues, thats pretty much irrelevant for a program > that to be used as intended, requires root priviledge or various > capabilities that make it possible to do anything with the > machine. such a program is a massive security hole, and will be until > the basic level of security granularity in the kernel changes. i'm not > particularly interested in issues like a buffer overflow fix in some > C++ library when the program itself is a such a huge security hole. Security issues are all the more important when the program requires root privileges. A security flaw in the software will have far worse consequences if the software is run as root. Being run as root is not a security flaw by itself, it is a conception weakness (due to problems to the kernel design, if I read you) that must be compensated for by strict security. Then, well, your software may not be designed to be secure, and it is not a big matter for such a software, but if a flaw is discovered, don't you think it would be better to correct it quickly ? > i would like to see a debian package of ardour, i really would. but > the claims i have read about "complaints will go to the maintainer > first" don't convince me, and neither does anything you have written > so far, that such a package would not result in many emails to me > and/or the ardour email lists talking about strange behaviour by the > program on someone's machine. i could punt this back down to the > maintainer, i suppose. Debian users usually report bugs via the BTS, as it is generally much simpler for them to use the same interface for all the bugs they report. Of course, this is not always the case, but I think you shouldn't bother with this, as the BTS will catch most of the Debian-specific problems. Greetings, -- .''`. Josselin Mouette /\./\ : :' : josselin.mouette@ens-lyon.org `. `' joss@debian.org `- Debian GNU/Linux -- The power of freedom
Attachment:
signature.asc
Description: PGP signature