[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: packaging a static library



On 12/30/2009 07:29 AM, Jon Masters wrote:
On Tue, 2009-12-29 at 14:41 +0100, Ralf Corsepius wrote:
On 12/29/2009 11:52 AM, Daniel Drake wrote:

OLPC has previously had a specific version of tomcrypt/tommath
profesionally audited for security reasons. So we obviously want to
stick with that version.

A few packages we have in Fedora currently use this frozen, audited
version - we do so by shipping duplicate copies of that source code
within the individual packages, rather than linking against the dynamic
systemwide equivalents.

If all users of the library were using the same, identical shared
versions, everybody would benefit from your "auditing", maintainers
would benefit from "issues being fixed" at one place, users would
benefit from you not shipping statically linked packages.

One presumes that such auditing is expensive, lengthy, and not often to
be repeated. Committing to undertaking a full code audit on every update
would seem to be a little unreasonable of a request. So I think it's
obvious that if they want to use an audited version, there will have to
be a separate audited version.

Well, I disagree: If they want to use "their auditied version", they haven't understood how open source works. They qualify as jerks who prefer to use proprietary forks instead of "paying back" to "upstream" and the wider user-base.

Ralf


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]