Ben Finney wrote:
<cut>
This omits the heart of the problem: There is an extra delay between
release and propagation of the security fix. When the third-party code
is released with a security fix, and is available in the operating
system, the duplicate in your application will not gain the advantage of
that fix until you release a new version of your application *and* that
new version makes its way onto the affected computer.
That is an additional delay, that only occurs because the hypothetical
security bug exists in a duplicate copy of the third party code. That
delay is entirely eradicated if your application instead uses a
system-installed library; your application then gains the security fix
immediately when they upgrade the system-installed library, without the
user having to upgrade the application at all.
I fully agree with your reasoning and I think you raised a valid point.
However, for me (as in YMMV), I have observed the following behaviour:
- Distribution security fixes are time wise at best on-par with my releases.
- Although some distribution (like ubuntu) offer updates on third party
dependencies (like the Python interpreter), most of them don't (windows).
- A user is more likely to update a program he uses than a third party
dependency he doesn't think he uses, especially if that program has an
auto-update feature and the dependency doesn't.
- In the ideal world, a upgrade of a dependency won't break your
program, in reality users fear upgrading dependencies because they don't
know for sure it won't result in a dll hell type of problem.
With these observations in mind and that it gives me more control on
what I am delivering, I made the trade off that I send platform specific
fully self contained (as far as possible) executables.
But you are right that it does give me the obligation to provide a way
to the customer to get updates ASAP if there is a security issue in my
program, whether this comes originally from a third party library or not
is in the users perspective, rightfully so, beside the point.
--
MPH
http://blog.dcuktec.com
'If consumed, best digested with added seasoning to own preference.'
--
http://mail.python.org/mailman/listinfo/python-list
