[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Python talks at DebConf

On Sat, May 8, 2010 at 11:51 AM, Emilio Pozuelo Monfort
<pochu@debian.org> wrote:
\>> 80kb of duplicated
>> code (even 8Mb) doesn't worth wasted time for troubleshooting in 2010.
>> It may be a reason for security, but why not just let packages
>> register their used version in Debian registry and track it there?
> Because if there's a security hole in that code, you would need to make a lot of
> DSAs (see the recent problem with expat that was embedded in a lot of places).

What's wrong with contacting upstream about security holes in their
applications due to wrong libraries shipped? Shouldn't Debian
collaborate with upstream sources that make this system so popular? Or
the aim is to make DD jobs easier - "let's Debian be secure and do not
care about upstream". The typical scenario (a source of all my rants)
- jQuery bundled with Trac. Do you really think Trac developers should
not receive notification from Debian if there will be a security bug
in it? Do you think they should monitor the status of jQuery library
themselves along with a couple of other python modules?

> That's even worse than statically linking, since those embedded copies are forks
> of their original upstream many times.

Something tells me and "static linking" is offtopic in this ML.
anatoly t.

Reply to: