Le 18/01/2022 à 09:09, Itschak Mugzach a écrit :
Raphael,
That's exactly my point. How do you maintain the life cycle of open source?
each project publishes updates, according to either
* fixed calendar
* feature based calendar
* vulnerability fixes
How can you explain that so many vendor products include old open source
versions?
You have multiple ways of handling things:
* Those that use a set version of each library they use, includes
* Publishing software as a docker image
this is possibly the less evil way of doing things, as long as
the vendor actually updates the docker image regularly, whenever
a vulnerability is found
* Fork a local copy of each library they use
those need extra work when vulnerability fixes are announced.
this way of doing things leads to having a number of versions of
the libraries in the system (gets confusing)
this also leads to old (vulnerable) versions being included.
said vendors should be bashed for doing things the wrong way.
* those that use the libraries that are present in the system, whose
code properly adapts to what is available on the machine at the time
those allow for proper system upgrades, providing proper automatic
systemwide vulnerability fixes.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
