1 |
On 9/18/19 2:04 PM, Alec Warner wrote: |
2 |
> |
3 |
> I'm actually pretty fine with this wording, upstream has said not to |
4 |
> dynamically link in these use cases. |
5 |
> |
6 |
|
7 |
Respectfully, the fact that you're OK with it doesn't make it not BS. It |
8 |
reads like "there's no way we can fix this!" when really it means "we |
9 |
don't feel like doing this properly!" |
10 |
|
11 |
Upstreams suggest dumb stuff all the time. We fix it. That's, like, what |
12 |
we do here. |
13 |
|
14 |
|
15 |
> |
16 |
> So if the package *maintainer* bumps each package every time it, or a |
17 |
> dep has a security issue; then updating will work fine. |
18 |
> |
19 |
|
20 |
Simply not true. If there's a security problem in a dependency and if |
21 |
you bump the packages that depend on it... nothing happens. Everyone |
22 |
reinstalls the vulnerable dependency, because the vulnerable dependency |
23 |
is bundled in every single one of those packages. |