On Sat, Aug 2, 2014 at 6:22 AM, Michael Torrie <torr...@gmail.com> wrote: > On 08/01/2014 08:39 AM, Chris Angelico wrote: >> The installer has basically three choices. >> 1) Install libnettle inside the application directory >> 2) Install libnettle to some system library directory >> 3) Don't install libnettle, and demand that someone else (perhaps the >> user, or the system package manager) install it. >> >> Option 1 results in duplications. (Unless one application is allowed >> to access a library in another application's directory, which is a >> HORRIBLE mess.) Option 2 is exactly what you're complaining about, >> scattering files all over the FS. And option 3 is what package >> managers are for. What are you advocating? > > Option 1 also is a huge security hole. A prime example of this was the > so-called heartbleed bug. In such a model, each app that distributes > openssl in the app bundle has to be updated or it is at risk. This > turns out to be a huge vulnerability.
More generally, that's exactly what Steven said about needing every package to update before you can confidently say it's updated. But that's also the greatest feature of the first option: you can't break this application by upgrading that library, because only upgrading the application (which hopefully will have been tested by the author) will upgrade the library it uses. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
