Blessed are the innocent *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| *
*|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Jan 18, 2022 at 2:25 PM Raphaël Jacquot <[email protected]> wrote: > Le 18/01/2022 à 09:09, Itschak Mugzach a écrit : > > Raphael, > > > > That's exactly my point. How do you maintain the life cycle of open > source? > > each project publishes updates, according to either > * fixed calendar > * feature based calendar > * vulnerability fixes > > > How can you explain that so many vendor products include old open source > > versions? > > You have multiple ways of handling things: > > * Those that use a set version of each library they use, includes > > * Publishing software as a docker image > > this is possibly the less evil way of doing things, as long as > the vendor actually updates the docker image regularly, whenever > a vulnerability is found > > * Fork a local copy of each library they use > > those need extra work when vulnerability fixes are announced. > > this way of doing things leads to having a number of versions of > the libraries in the system (gets confusing) > this also leads to old (vulnerable) versions being included. > said vendors should be bashed for doing things the wrong way. > > * those that use the libraries that are present in the system, whose > code properly adapts to what is available on the machine at the time > > those allow for proper system upgrades, providing proper automatic > systemwide vulnerability fixes. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
