On Tue, Sep 06, 2005 at 09:31:06 -0400, Joey Hess wrote: > FWIW, embedding a copy of PCRE in a Debian package regardless of whether > it is exploitable is a bug in my book. It just asks for trouble. It makes > bug fixing hard. I maintain a package that embeds pcre (analog), but I > took care to not have it build that version of pcre, and so we don't have > to worry about security issues in pcre for analog.
Upstream is aware of such concerns (see the http://mail.gnome.org/archives/gnumeric-list/2005-August/msg00073.html message referred to in the original report) but has (IMHO valid) reasons to use an embedded copy for now. >From #gnumeric I gather it is upstream's intention to address those reasons (i.e. have Novell fix PCRE in the SUSE products) so that it will be possible to drop the embedded copy in the future. Ray -- "a infinite number of monkeys typing into GNU emacs would never make a good program" .../linux/Documentation/CodingStyle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
