On Sat, 17 Feb 2007 14:55:26 +0100
Simon Stelling <[EMAIL PROTECTED]> wrote:

> Marius Mauch wrote:
> > So everyone who has valid objections to the _general idea_ of this
> > implementation (preserving old libraries to avoid some runtime
> > linker errors) speak up now. 
> 
> For how long are these libraries preserved? This might have a security
> impact in cases like the recent openssl-case where you had to upgrade
> to an incompatible ABI because the version using the old one was
> vulnerable. Using preserve-libs it would leave the old lib around,
> making it possible for programs to link against the wrong version and
> ending up being vulnerable. I realize that the feature is meant to
> help the transitional phase until all apps are built against the new
> ABI, but how would you find these vulnerable apps currently?
> revdep-rebuild wouldn't rebuild them since they are still functional.

Currently they are around as long as they are referenced by other
packages or until the package is unmerged. And yes, there should be a
way to tell revdep-rebuild/the user which packages should/need to be
rebuilt, but I haven't made my mind up yet on how to accomplish that
(in fact atm there is no separation between "native" and "imported"
libs in vdb, I'm aware that needs to be added).

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

Attachment: signature.asc
Description: PGP signature

Reply via email to