[Mageia-dev] Meeting for secteam start

Sat Apr 16 13:42:43 CEST 2011

On 04/16/2011 06:49 AM, Thierry Vignaud wrote:
+> On 16 April 2011 10:10, Michael Scherer <misc at zarb.org> wrote:
+>   
+>>> * check our srpm database (Vincent later reworked this) for all the
+>>> places the affected source code
+>>>   may be buried (many packages embed copies of other source)
+>>>       
+>> I would propose to have a policy of using system wide library and do not
+>> allow bundled copy ( but this would be likely annoying for some case ).
+>>     
+> That was the policy at mdv too.
+> We'd too much pain with all those copies.
+>
+>   
+And for the most part this worked. If I remember correctly, the biggest
+pain points were xpdf code being cloned all over and libtiff?
+I believe the xpdf situation has improved considerably since then,
+although I haven't spent a lot of time with the code of the various
+readers. I seemed like we had an xpdf vuln once a month or so, which
+triggered updates of several packages. At least having the tool to
+search the source tarballs gave us an easy way to check possible areas
+that might be at risk (although the initial database load took some time
+(clock time, not people time).
+
+Other suggestions on openness make perfect sense to me. No need to be
+"secret" about anything unless we really have to.
+
+-- 
+Stew Benedict
+New Tazewell, TN
+
+
+