Le vendredi 03 mai 2019 à 19:59 +0200, Dridi Boukelmoune a écrit : > On Fri, May 3, 2019 at 1:45 PM Nicolas Mailhot via devel > <devel@lists.fedoraproject.org> wrote: > > Le vendredi 03 mai 2019 à 12:04 +0100, Tomasz Kłoczko a écrit : > > > On Fri, 3 May 2019 at 11:04, Nicolas Mailhot via devel > > > <devel@lists.fedoraproject.org> wrote: > > > [..] > > > > You're assuming the only use is roolback. It's not > > > > > > Point taken. Can you shortly describe other use cases? > > > > You use apps in one of those languages that static build by > > default. > > There is a security alert in one code component. You want to know > > which > > packages in your repo/mirror have been build using the broken piece > > of > > source code > > Last time we disagreed on this topic my opinion was that static > linking should imply bundled provides: > > Provides: bundled(<as usual>) = <crate or module version> > > Hopefully something that could be automated for some stacks.
That makes it stack-specific And anyway, the classical compiler attack (compiler that inserts backdoor while compiling) shows that special-casing some packages for special tracking does not work, pretty much anything that existed in the build root need to be tracked because it may be exploited one way or another, and spead the exploit to everything that used it. -- Nicolas Mailhot _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
