On 04/16/2011 06:49 AM, Thierry Vignaud wrote: > On 16 April 2011 10:10, Michael Scherer <[email protected]> wrote: > >>> * check our srpm database (Vincent later reworked this) for all the >>> places the affected source code >>> may be buried (many packages embed copies of other source) >>> >> I would propose to have a policy of using system wide library and do not >> allow bundled copy ( but this would be likely annoying for some case ). >> > That was the policy at mdv too. > We'd too much pain with all those copies. > > And for the most part this worked. If I remember correctly, the biggest pain points were xpdf code being cloned all over and libtiff? I believe the xpdf situation has improved considerably since then, although I haven't spent a lot of time with the code of the various readers. I seemed like we had an xpdf vuln once a month or so, which triggered updates of several packages. At least having the tool to search the source tarballs gave us an easy way to check possible areas that might be at risk (although the initial database load took some time (clock time, not people time).
Other suggestions on openness make perfect sense to me. No need to be "secret" about anything unless we really have to. -- Stew Benedict New Tazewell, TN
