Excerpts from Jesse Farinacci's message of Thu Dec 22 18:32:01 +0100 2011: > Greetings, > > On Thu, Dec 22, 2011 at 12:20 PM, Deepesh Garg <deepes...@gmail.com> wrote: > > > I share your pain, but couldn't find anything close when it comes to > > installing java apps. > > > I don't think there is a standard for that, nor do I think it is required. > The shared library mechanism employed by Linux and other high quality > operating systems is a dying tradition, I think. It doesn't seem to fit for > general applications. The performance gains are minimal, and the chance for > having mismatched libraries requires far too much test and support time. It > isn't worth the headache when you can get a 1Tb drive in a notebook for < > 100 USD; or when low end business laptops ship with quad core and > hyperthreading.
I see this again and again. People seem to forget that number 1 issue
with bundling of dependencies is NOT performance/storage
requirements. It is security. I'd like to see you fixing a security
bug in a low-level java library (something from apache-commons would
be a good example here). Let's see case of a multiple-application
distribution with synced commons version (the dying tradition).
Steps to fix security bug:
1. verify that one version you have shared among your applications is
vulnerable
2. fix the vulnerability
3. test, deploy, etc. Whatever your processes require
Now let's see the great new upcoming trend of bundled
dependencies. Steps to fix security bug:
1. identify packages where you have bundled vulnerable library
BEGIN LOOP
2. identify version of the library that is bundled for each
application. Do you even have source code for bundled dep to
check for vulnerability? You bundled just the binary right?
3. Develop fix for each of identified versions
4. test, deploy, etc
END LOOP
Good luck to your security response team.
Before I forget: Merry Christmas and happy New Year everyone (no
sarcasm here :-) )
--
Stanislav Ochotnicky <sochotni...@redhat.com>
Software Engineer - Base Operating Systems Brno
PGP: 7B087241
Red Hat Inc. http://cz.redhat.com
signature.asc
Description: PGP signature
