Hi, > Upstream Gallery is working on a new version that includes a fix for the > smarty issue. I agree that using the Debian packaged version is better > than embedding, but not at the expense of usability.
Of course if there's a short term fix with just an updated Smarty, that's better than no fix at all. However, putting embedding against usability is a false dilemma. The user doesn't see the difference where in the filesystem some piece of code is present. The only reason I can see is that upstream made modifications to stock Smarty. If they have local modifications, it would be interesting to see exactly what they are and if they cannot be implemented in a stock copy. Be advised that the security team in principle does not consider packages including a verbatim copy of some library acceptable for stable. See for example the recent kazehakase update to see how many security issues in one package can arise from using an outdated embedded library copy. Please ask upstream to make it easy to switch between the embedded copy and a system copy, e.g. in a constant somewhere (e.g. SMARTY_PATH). cheers, Thijs
pgpSIJaVFuTLd.pgp
Description: PGP signature
