| 1 |
On 4/1/20 11:49 AM, Alec Warner wrote: |
| 2 |
> Imagine a common dep (CommonFoo-x-y-z) |
| 3 |
> has a security problem, so we must upgrade to CommonFoo-y-z. In the |
| 4 |
> scenario where CommonFoo is a dynamically linked package we can |
| 5 |
> recompile it once[4] and new consumers will just use the new dynamic |
| 6 |
> shared object. In a bundling scenario, we will be forced to rebuild[5] |
| 7 |
> all consumers. |
| 8 |
|
| 9 |
This is highly euphemistic. What actually happens is: someone discovers |
| 10 |
a security issue in a Go library. That library is not "in" Gentoo, |
| 11 |
because it only ever appears in a string inside of another ebuild that |
| 12 |
bundles everything. Thereafter, a whole lot of nothing happens. Users |
| 13 |
remain vulnerable "forever," until some other unrelated event causes |
| 14 |
both the ebuild and its dependency to be updated. |
| 15 |
|
| 16 |
Your license scenario is also wishful thinking. All of the LICENSE bugs |
| 17 |
reported when this eclass was proposed have been sitting open for six |
| 18 |
months. As soon as the eclass was committed, that shit went out the door |
| 19 |
and the developers moved on to make more money at our expense. You got |
| 20 |
scammed. |
Archives