On Tue, 3 Mar 2020 at 05:04, Sean Whitton <[email protected]> wrote:
> My worry about these embedded code copies is maintainability. We do not > have great tools for finding, nor updating, all the embedded copies of a > library. So each time we introduce an embedded code copy then we are > making it harder to fix bugs in Debian. > > This is particular important for security fixes. The security team > cannot be expected to go around finding multiple copies of libraries and > uploading all the packages. AIUI tensorflow is expected to process > untrusted input, so we would want it to be easy to fix security problems > in its dependencies. > > Please let me know if I'm misunderstanding the nature of these > dependencies. > Generally your understanding is correct. Embedded code copies indeed cause problem when security problem such as CVE arises. My experience is that scientific software suffers less from CVEs, but here I don't intend to fuss about why scientific software may be treated a bit differently since I have no strong proof. Maybe I should rethink about my personal packaging preference. -- Best,
-- debian-science-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
