| 1 |
On 9/18/19 2:04 PM, Alec Warner wrote: |
| 2 |
> |
| 3 |
> I'm actually pretty fine with this wording, upstream has said not to |
| 4 |
> dynamically link in these use cases. |
| 5 |
> |
| 6 |
|
| 7 |
Respectfully, the fact that you're OK with it doesn't make it not BS. It |
| 8 |
reads like "there's no way we can fix this!" when really it means "we |
| 9 |
don't feel like doing this properly!" |
| 10 |
|
| 11 |
Upstreams suggest dumb stuff all the time. We fix it. That's, like, what |
| 12 |
we do here. |
| 13 |
|
| 14 |
|
| 15 |
> |
| 16 |
> So if the package *maintainer* bumps each package every time it, or a |
| 17 |
> dep has a security issue; then updating will work fine. |
| 18 |
> |
| 19 |
|
| 20 |
Simply not true. If there's a security problem in a dependency and if |
| 21 |
you bump the packages that depend on it... nothing happens. Everyone |
| 22 |
reinstalls the vulnerable dependency, because the vulnerable dependency |
| 23 |
is bundled in every single one of those packages. |
Archives