Excerpts from Jesse Farinacci's message of Thu Dec 22 18:32:01 +0100 2011: > Greetings, > > On Thu, Dec 22, 2011 at 12:20 PM, Deepesh Garg <deepes...@gmail.com> wrote: > > > I share your pain, but couldn't find anything close when it comes to > > installing java apps. > > > I don't think there is a standard for that, nor do I think it is required. > The shared library mechanism employed by Linux and other high quality > operating systems is a dying tradition, I think. It doesn't seem to fit for > general applications. The performance gains are minimal, and the chance for > having mismatched libraries requires far too much test and support time. It > isn't worth the headache when you can get a 1Tb drive in a notebook for < > 100 USD; or when low end business laptops ship with quad core and > hyperthreading.
I see this again and again. People seem to forget that number 1 issue with bundling of dependencies is NOT performance/storage requirements. It is security. I'd like to see you fixing a security bug in a low-level java library (something from apache-commons would be a good example here). Let's see case of a multiple-application distribution with synced commons version (the dying tradition). Steps to fix security bug: 1. verify that one version you have shared among your applications is vulnerable 2. fix the vulnerability 3. test, deploy, etc. Whatever your processes require Now let's see the great new upcoming trend of bundled dependencies. Steps to fix security bug: 1. identify packages where you have bundled vulnerable library BEGIN LOOP 2. identify version of the library that is bundled for each application. Do you even have source code for bundled dep to check for vulnerability? You bundled just the binary right? 3. Develop fix for each of identified versions 4. test, deploy, etc END LOOP Good luck to your security response team. Before I forget: Merry Christmas and happy New Year everyone (no sarcasm here :-) ) -- Stanislav Ochotnicky <sochotni...@redhat.com> Software Engineer - Base Operating Systems Brno PGP: 7B087241 Red Hat Inc. http://cz.redhat.com
signature.asc
Description: PGP signature