On Mon, Sep 21, 2015 at 5:10 PM, Cosimo Cecchi <cosi...@gnome.org> wrote:
> > On Mon, Sep 21, 2015 at 1:01 PM, Owen Taylor <otay...@redhat.com> wrote: > >> Do we trust this code or not? If not, we should either a) sandbox it or >> b) delete it. >> >> Moving less-trusted loaders into a separate repo is a blame-the-user or >> blame-the-os-vendor move, depending on who installs them onto the system. >> > > The only way to prevent the blame game you mention in a typical > distribution where everything is installed through packages would be to > stop supporting out of tree modules entirely, if I interpret your concern > correctly. > > My point is that as long as that's the case, at least maintaining them in > a central location gives people an aggregation point for fixes. > But they are not being maintained by anybody, and the fixes have not been aggregating... every few years some security researchers decide to have a look at image loaders, and then we get a bunch of overflows and corruptions reported, and either me of Benjamin grudgingly fix them. And both of us are tired of doing that.
_______________________________________________ gtk-devel-list mailing list gtk-devel-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-devel-list