[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RFC: Soname in rpm name



On Mon, 24 Jan 2005 19:25:44 +0000, Mike Hearn <mike navi cx> wrote:
> Face it: people will run the software they want. If you make it difficult
> or annoying for them out of a misguided sense that
> security-through-obnoxiousness is OK, they'll just use Windows which
> doesn't do much for security at all but at least makes it easy for the
> user to achieve their goal.

Yeah... i like AOL's new commercials about virus protection which
speak to your point about Windows  Acheiving one goal quickly can have
very serious long term effects thanks to the insecurity of the quick
solution.  Design decisions meant to make things easier upfront can
have serious security implications. There is always tension between
security and quick solutions.

Let them use windows... i have no problem with people choosing to use
insecure technology.
But i do have a problem setting up this project in a way that makes it
"very simple" to run old, unmaintained, vulnerable  libraries by
inexperienced users of Fedora.   You can do some pretty flexible
things on the commandline with rpm if you really want to do it and I'm
not arguing that ability should be taken away. But i don't want
encourage the general user base to use packaged libraries from old
trees that are no longer being maintained just because it happens to
be a package they find on the net in an old ftp.  And i definitely
want to encourage package builders to rebuild against libraries that
are being maintained.

> 
> The best solution is for libraries to not break backwards compatibility
> every other week, that way security fixes are magically present even for 5
> year old apps.

This is orthogonal to packaging issues... and frankly... not something
a distributor of libraries can dictate to each upstream project.
Please take your crusade to each and every component project so no
package distributor will ever have to deal with these questions.

> Seriously, 5 years is really nothing, it's all about mindset.

If this were debian... with debian timescales for the development and
end-of-life... 5 years isnt that long. But this isn't debian.. and
this project doesn't have those sorts of timescales... so with respect
to FC's timetable 5 years is definitely a long time.

-jef


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]