[Mageia-dev] Meeting for secteam start
Stew Benedict
stewbintn at gmail.com
Sat Apr 16 13:42:43 CEST 2011
On 04/16/2011 06:49 AM, Thierry Vignaud wrote:
> On 16 April 2011 10:10, Michael Scherer <misc at zarb.org> wrote:
>
>>> * check our srpm database (Vincent later reworked this) for all the
>>> places the affected source code
>>> may be buried (many packages embed copies of other source)
>>>
>> I would propose to have a policy of using system wide library and do not
>> allow bundled copy ( but this would be likely annoying for some case ).
>>
> That was the policy at mdv too.
> We'd too much pain with all those copies.
>
>
And for the most part this worked. If I remember correctly, the biggest
pain points were xpdf code being cloned all over and libtiff?
I believe the xpdf situation has improved considerably since then,
although I haven't spent a lot of time with the code of the various
readers. I seemed like we had an xpdf vuln once a month or so, which
triggered updates of several packages. At least having the tool to
search the source tarballs gave us an easy way to check possible areas
that might be at risk (although the initial database load took some time
(clock time, not people time).
Other suggestions on openness make perfect sense to me. No need to be
"secret" about anything unless we really have to.
--
Stew Benedict
New Tazewell, TN
More information about the Mageia-dev
mailing list