1 |
Marius Mauch wrote: |
2 |
> So everyone who has valid objections to the _general idea_ of this |
3 |
> implementation (preserving old libraries to avoid some runtime linker |
4 |
> errors) speak up now. |
5 |
|
6 |
For how long are these libraries preserved? This might have a security |
7 |
impact in cases like the recent openssl-case where you had to upgrade to |
8 |
an incompatible ABI because the version using the old one was |
9 |
vulnerable. Using preserve-libs it would leave the old lib around, |
10 |
making it possible for programs to link against the wrong version and |
11 |
ending up being vulnerable. I realize that the feature is meant to help |
12 |
the transitional phase until all apps are built against the new ABI, but |
13 |
how would you find these vulnerable apps currently? revdep-rebuild |
14 |
wouldn't rebuild them since they are still functional. |
15 |
|
16 |
-- |
17 |
Kind Regards, |
18 |
|
19 |
Simon Stelling |
20 |
Gentoo/AMD64 developer |
21 |
-- |
22 |
gentoo-portage-dev@g.o mailing list |