[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: proposal to remove static libs from -devel packages for FC5
- From: Daniel Veillard <veillard redhat com>
- To: Ralf Corsepius <rc040203 freenet de>
- Cc: List for Fedora Package Maintainers <fedora-maintainers redhat com>
- Subject: Re: proposal to remove static libs from -devel packages for FC5
- Date: Thu, 28 Jul 2005 09:20:36 -0400
On Thu, Jul 28, 2005 at 02:29:07PM +0200, Ralf Corsepius wrote:
> On Thu, 2005-07-28 at 07:05 -0400, Daniel Veillard wrote:
> > On Fri, Jul 22, 2005 at 08:08:17PM -1000, Warren Togami wrote:
>
> >
> > Now multiply by the number of library we ship, to me you annoy the user
> > and the maintainers.
> >
> > I really disagree with this myself.
> Then let me turn your remark around into a devel's advocate question:
>
> Which packages in all RH based distributions (FC, FE, etc.) are
> statically linked against libxml and therefore will be subject to the
> vulnerability that allows arbitrary users to become root by parsing
> xml-files, to be discovered, tomorrow?
I don't think there is any in the distro (I think open-office specific
version was removed). The problem of course is for ISV and independant
developpers. Sorry you tried to attack the problem from the wrong angle.
I could not conclude whether you suspected libxml2 had security problems
when parsing files, I hope not. Now if you are really worried, I would suggest
you start chasing the various expat libraries used right and left some
of them using the system ones but not all ...
Daniel
--
Daniel Veillard | Red Hat Desktop team http://redhat.com/
veillard redhat com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]