[Secure-testing-team] embedded library copies in monotone
Zack Weinberg
zackw at panix.com
Wed Oct 17 02:11:11 UTC 2007
On 10/16/07, Stefan Fritsch <sf at debian.org> wrote:
> On Monday 15 October 2007, you wrote:
> > I maintain the monotone package, which presently contains embedded
> > copies of several external libraries. It is not on your list.
> > (It's not presently in testing due to unrelated problems, but it
> > hopefully will be again soon.) Upstream is aware that this is a
> > problem for Debian and other distributions, but has had serious
> > problems with library version skew in the past and is therefore
> > being very cautious and slow about opening up the possibility of
> > using dynamic linkage.
[...]
>
> Thanks for the information, I added it to the list. But I really think
> you should try to link dynamically in your Debian package where
> possible, even if upstream doesn't want to do it. In particular
> libpcre already had security issues in the past, so it would be
> important that you try to link to the packaged version.
I'm not going to diverge from upstream on this.
Upstream moved *away* from external libraries after being badly burned
by not being able to control exactly which version of the external
libraries was in use. We are talking about things like data
corruption bugs tracked to bad interaction between monotone's use
pattern and particular patch levels of sqlite. In some cases there
have also been locally-applied modifications necessary for
correct/secure behavior. Everyone agrees that this is not the ideal
state, but at present, if I were to switch the Debian packages to
external libraries, upstream would insist that any bug reported
against the packaged binaries be reproduced with a bundled-library
version before they'd look at it.
Some context -
http://lists.gnu.org/archive/html/monotone-devel/2005-04/msg00175.html
http://lists.gnu.org/archive/html/monotone-devel/2005-07/msg00192.html
zw
More information about the Secure-testing-team
mailing list