Michael S Gilbert dijo [Sun, Oct 18, 2009 at 08:43:35PM -0400]: > Hi, > > The prototypejs script has been found to be vulnerable to a couple > security issues [0],[1]. This script is embedded in about 32 other > packages and I would like to file bugs against all of those that are > affected. Since this would probably be considered a mass filing, I am > running it past -devel first. > (…) Just for the record, I agree with your mass filing (which is not massive anyway). However, I'd also suggest your bugs (and as a matter of general policy) should invite said maintainers to depend on libjs-prototype and symlink it instead of shipping the package's own versions, except if there is a _real_ need to do so (i.e. upstream-modified versions of prototype or dependance on specific API versions). As those packages are currently shipping, they are basically worse off than if they were statically linking a library: It leads to code duplication and cases such as this, where it becomes a serious and hard to fix security liability which not only must be hand-corrected, but must be hand-spotted. -- Gunnar Wolf • gwolf@gwolf.org • (+52-55)5623-0154 / 1451-2244
Attachment:
signature.asc
Description: Digital signature