proposal to remove static libs from -devel packages for FC5
Ralf Corsepius
rc040203 at freenet.de
Thu Jul 28 13:53:40 UTC 2005
On Thu, 2005-07-28 at 09:20 -0400, Daniel Veillard wrote:
> On Thu, Jul 28, 2005 at 02:29:07PM +0200, Ralf Corsepius wrote:
> > On Thu, 2005-07-28 at 07:05 -0400, Daniel Veillard wrote:
> > > On Fri, Jul 22, 2005 at 08:08:17PM -1000, Warren Togami wrote:
> >
> > >
> > > Now multiply by the number of library we ship, to me you annoy the user
> > > and the maintainers.
> > >
> > > I really disagree with this myself.
> > Then let me turn your remark around into a devel's advocate question:
> >
> > Which packages in all RH based distributions (FC, FE, etc.) are
> > statically linked against libxml and therefore will be subject to the
> > vulnerability that allows arbitrary users to become root by parsing
> > xml-files, to be discovered, tomorrow?
>
> I don't think there is any in the distro (I think open-office specific
> version was removed).
You think ... this isn't enough. You should be sure, otherwise in case
of serious emergency with libxml, _you_ can't react.
> The problem of course is for ISV and independant
> developpers. Sorry you tried to attack the problem from the wrong angle.
Why, what's technically wrong with my proposal? What would you propose
instead?
Shipping static libraries to me means handing people a loaded gun.
It's only a matter of time until somebody stumbles and shoots himself.
> I could not conclude whether you suspected libxml2 had security problems
> when parsing files, I hope not.
Any widely used major library is potentially subject to vulnerabilities,
especially those being used in applications with network access like
libxml - You simply can't be sure - never.
> Now if you are really worried, I would suggest
> you start chasing the various expat libraries used right and left some
> of them using the system ones but not all ...
I am worried about all statically applications nobody exactly knows what
they actually are linked against, and therefore are hot candidates to be
missed during security updates.
Ralf
More information about the Fedora-maintainers
mailing list