2012/12/26 Sune Vuorela <nos...@vuorela.dk>: > On 2012-12-25, Sven Brauch <svenbra...@googlemail.com> wrote: >> Also, I'm still not sure what exactly concerns you about security and >> maintenance. Problems I see include increased build time, and >> maintenance efforts for me personally in updating the fork, but none >> really seem fatal. Can you elaborate a bit about which problems you > > One of the problems are that in a distribution like debian and/or > ubuntu has around 60-70 patches against python2.7 to ensure it builds > and works everywhere. > All these patches might also be needed the extra copy - and given the > extra copy is modified, then these patches might need to be adapted. > > Another of the problems is that if there is a security bug in libpython, > then instead of just doing a security fix to python, one also needs to > do one to kdev-python. > > The first problem is large amount of work for the distribution > packagers, and the second problem is quite annoying for distribution > security teams. > > All of this applies to every embedded library. And python is a quite big > thing. > > /Sune
Hi, kdev-python does not really ship with a custom version of python which is used for various things; for example the interpreter or even standard library is not being used. Only the parser code from the libpython.so library is being called, everything else is just there as basically a build dependency for the parser stuff. Thus, the chances of it not working somewhere (due to path problems, runtime dependencies, ...) are hopefully slim. How often is there security bugs in parser code? I don't know, but I'd guess it's not something that happens every other day. For security issues anywhere else (e.g. standard library modules such as xml parser stuff or whatever), they don't really matter since they can't ever be executed. I do agree that the soluton is not very elegant at any rate, but I'm still very much at loss for a better idea. If anyone can come up with something good, I'd spend the time to change it, but writing a custom parser... phew. Greetings, Sven