On Tue, Dec 1, 2009 at 9:03 PM, Gregg L. Smith <li...@glewis.com> wrote: >> And what is passing for an excuse for a local PCRE install >> these days probably doesn't look like 7.8 or later, with >> various fixes we are vulnerable to.
Isn't that the responsibility of the distributor? > This does not leave me with a warm and fuzzy feeling. As a user, is the pcre > 8.0 I've built going to expose me to risks that your maintained 7.8 does not? > If yes, then I'd prefer your maintained one. After all, who knows better than > you what will interact with your code to produce problems. Regardless of > merit, who will ultimately get blamed in the end? Could your reputation be > tarnished? Can you completely divorce yourself from something your software > requires to run? The opposite might be true too, what about risks that have been patched in the distribution but not in the one shipped by Apache? IMO library duplication should be avoided as much as possible. Olaf
