1 |
On 4/1/20 11:49 AM, Alec Warner wrote: |
2 |
> Imagine a common dep (CommonFoo-x-y-z) |
3 |
> has a security problem, so we must upgrade to CommonFoo-y-z. In the |
4 |
> scenario where CommonFoo is a dynamically linked package we can |
5 |
> recompile it once[4] and new consumers will just use the new dynamic |
6 |
> shared object. In a bundling scenario, we will be forced to rebuild[5] |
7 |
> all consumers. |
8 |
|
9 |
This is highly euphemistic. What actually happens is: someone discovers |
10 |
a security issue in a Go library. That library is not "in" Gentoo, |
11 |
because it only ever appears in a string inside of another ebuild that |
12 |
bundles everything. Thereafter, a whole lot of nothing happens. Users |
13 |
remain vulnerable "forever," until some other unrelated event causes |
14 |
both the ebuild and its dependency to be updated. |
15 |
|
16 |
Your license scenario is also wishful thinking. All of the LICENSE bugs |
17 |
reported when this eclass was proposed have been sitting open for six |
18 |
months. As soon as the eclass was committed, that shit went out the door |
19 |
and the developers moved on to make more money at our expense. You got |
20 |
scammed. |