Mono Package audit
Toshio Kuratomi
a.badger at gmail.com
Thu Apr 10 16:01:38 UTC 2008
David Nielsen wrote:
>
> I'll just comment on the ones I own:
>
>
> .. _banshee: Boo.dll files are in an Extras/Boo directory. May be
> able to
> disable at buildtime. Note in spec that Boo does not
> build on ppc
>
>
> Actually Nant does not build on ppc (well 0.86-beta 1 does but look what
> happened when we tried that), no Nant means no ppc for Boo. Regardless
> when Banshee 1.0 can be rolled out this should not be an issue anymore
> as one of the goals as been to remove all those bundled wonders. I am
> inclined to think the best option is waiting and letting the problem
> solve itself upstream. Upstream is very friendly and on a mission to
> destroy these anyways.
>
I'm definitely okay with this for libraries which are simply bundled
(ie: the package is shipping the source for an external library and is
compiling that before installing it.) It makes sense that we wait for
an active and friendly upstream to complete changes they've already
planned to do something we want. This appears to be the case for the
sources in banshee-0.13.2/ext and some of the libraries in
banshee-0.13.2/src/Extras.
In the Boo case, though, there's a set of precompiled Boo libraries in
banshee-0.13.2/src/Extras/Boo/ which are not accompanied by any source.
This is more problematic as we have no way to audit those precompiled
bits. Are they Boo? Are they a trojaned Boo? Are they secret
government plans to bring about Armageddon masquerading as a .dll?
Unless you can read CIL byte code, there's no way of knowing.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080410/756a796a/attachment.sig>
More information about the fedora-devel-list
mailing list