On sab, mag 18, 2013 at 11:38:15 +0200, Hannes von Haugwitz wrote: > Dear security team, > > as suggested by Sam I ask you to comment on the following issue. > > I want to statically link my package aide to libcurl, which is > statically linked for security reasons. Since krb5 does not support > static libraries any longer (#439039), the static library of libcurl is > now useless (#495163) and therefor cannot be used by the aide package.
It's useless *for aide purposes*. Again. nothing prevents other people from
using the static libcurl and dynamically link to krb5 (which is standard
priority
anyway).
> I for one would really dislike to drop the static aide binary and think
> a static curl library without krb support is better than the current
> one, which is not usable at all.
I for one would really dislike to provide a crippled static libcurl (not to
mention the maintainance hell of having to rebuild each curl SSL versions with
and without krb5 support) just for the sake of a single package which doesn't
even really need libcurl to work. I'd rather drop static libcurl completely if
it's really that useless.
> On Wed, May 15, 2013 at 08:06:23AM -0400, Sam Hartman wrote:
> > 3) A static aide with libcurl and somewhat crippled Kerberos meaning
> > that aide needs to get libcurl and krb5 updates.
> > In addition libcurl might potentially need to get rebuilt on Kerberos
> > security updates.
Static libcurl wouldn't need to be rebuilt. aide would "bundle" both libcurl
*and* krb5.
--
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
