proposal to remove static libs from -devel packages for FC5
Daniel Veillard
veillard at redhat.com
Thu Jul 28 13:20:36 UTC 2005
On Thu, Jul 28, 2005 at 02:29:07PM +0200, Ralf Corsepius wrote:
> On Thu, 2005-07-28 at 07:05 -0400, Daniel Veillard wrote:
> > On Fri, Jul 22, 2005 at 08:08:17PM -1000, Warren Togami wrote:
>
> >
> > Now multiply by the number of library we ship, to me you annoy the user
> > and the maintainers.
> >
> > I really disagree with this myself.
> Then let me turn your remark around into a devel's advocate question:
>
> Which packages in all RH based distributions (FC, FE, etc.) are
> statically linked against libxml and therefore will be subject to the
> vulnerability that allows arbitrary users to become root by parsing
> xml-files, to be discovered, tomorrow?
I don't think there is any in the distro (I think open-office specific
version was removed). The problem of course is for ISV and independant
developpers. Sorry you tried to attack the problem from the wrong angle.
I could not conclude whether you suspected libxml2 had security problems
when parsing files, I hope not. Now if you are really worried, I would suggest
you start chasing the various expat libraries used right and left some
of them using the system ones but not all ...
Daniel
--
Daniel Veillard | Red Hat Desktop team http://redhat.com/
veillard at redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
More information about the Fedora-maintainers
mailing list