1 |
On Sat, 17 Feb 2007 14:55:26 +0100 |
2 |
Simon Stelling <blubb@g.o> wrote: |
3 |
|
4 |
> Marius Mauch wrote: |
5 |
> > So everyone who has valid objections to the _general idea_ of this |
6 |
> > implementation (preserving old libraries to avoid some runtime |
7 |
> > linker errors) speak up now. |
8 |
> |
9 |
> For how long are these libraries preserved? This might have a security |
10 |
> impact in cases like the recent openssl-case where you had to upgrade |
11 |
> to an incompatible ABI because the version using the old one was |
12 |
> vulnerable. Using preserve-libs it would leave the old lib around, |
13 |
> making it possible for programs to link against the wrong version and |
14 |
> ending up being vulnerable. I realize that the feature is meant to |
15 |
> help the transitional phase until all apps are built against the new |
16 |
> ABI, but how would you find these vulnerable apps currently? |
17 |
> revdep-rebuild wouldn't rebuild them since they are still functional. |
18 |
|
19 |
Currently they are around as long as they are referenced by other |
20 |
packages or until the package is unmerged. And yes, there should be a |
21 |
way to tell revdep-rebuild/the user which packages should/need to be |
22 |
rebuilt, but I haven't made my mind up yet on how to accomplish that |
23 |
(in fact atm there is no separation between "native" and "imported" |
24 |
libs in vdb, I'm aware that needs to be added). |
25 |
|
26 |
Marius |
27 |
|
28 |
-- |
29 |
Public Key at http://www.genone.de/info/gpg-key.pub |
30 |
|
31 |
In the beginning, there was nothing. And God said, 'Let there be |
32 |
Light.' And there was still nothing, but you could see a bit better. |