[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Sponsor and review request: opendap, librx



On Sat, 2005-04-23 at 14:49 -0400, Ed Hill wrote:

> In terms of both policy and practical considerations, is it OK to allow
> packages (like OPeNDAP) to include their own versions of some libs?  Or
> should we patch their build system(s) to use the versions provided by
> the "official" RPMs?

No, it really isn't. This is how known security holes stick around for
long periods of time after the core libs have been patched (like openssl
in KDE).

This should be policy, and I'll add it to the guidelines.

I'm reworking opendap to use the system libs (new packages shortly).

~spot
-- 
Tom "spot" Callaway: Red Hat Sales Engineer || GPG Fingerprint: 93054260
Fedora Extras Steering Committee Member (RPM Standards and Practices)
Aurora Linux Project Leader: http://auroralinux.org
Lemurs, llamas, and sparcs, oh my!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]