On 2016-03-13 02:26, Aurelien Jarno wrote: > Hi, > > For historical reason, disk space on boot floppies, the libnss_dns.so.2 > and libnss_files.so.2 libraries are in separate udeb packages, namely > libnss-dns-udeb and libnss-files-udeb. This is not the case of the deb > package, where everything is in the libc6 package. > > In practice these libraries are really small by nowadays standards (22kB > and 47kB uncompressed), and moreover libnss-dns-udeb is already included > in all images. In addition these libraries are tightly coupled to the > libresolv library which is in libc6-udeb. The recent CVE-2015-7547 has > shown that, and Ubuntu hit a bug by having the two out of sync in their > installer [1]. We would have got the same if debian-installer was pulling > its udeb from debian-security. Thinking a bit more about that we'll have the same problem. Our 8.3 debian-installer images will likely break when 8.4 is released. Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net
Attachment:
signature.asc
Description: PGP signature