On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
>
> Embedded code copies
>
>
> There are a number of packages including source code from external
> libraries, for example poppler is included in xpdf, kpdf and others. To
> ensure that we don't miss any vulnera
Hi Francesco,
* Francesco P. Lovergine <[EMAIL PROTECTED]> [2007-10-15 11:08]:
> On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> >
> > Embedded code copies
> >
> >
> > There are a number of packages including source code from external
> > libraries, for exam
On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> Embedded code copies
>
> There are a number of packages including source code from external
> libraries, for example poppler is included in xpdf, kpdf and others. To
> ensure that we don't miss any vulnerabiliti
On Mon, Oct 15, 2007 at 11:06:32AM +0200, Francesco P. Lovergine wrote:
> On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> >
> > Embedded code copies
> >
> >
> > There are a number of packages including source code from external
> > libraries, for example pop
On Mon, Oct 15, 2007 at 11:20:02AM +0200, Nico Golde wrote:
>
> Yes true but in most cases the code base is nearly the same
> and we can check this without knowing ;)
>
> > I wonder if in those special cases an Embed: tag could be added in
> > debian/control to help tracking things.
>
> That w
On Mon, Oct 15, 2007 at 11:29:16AM +0200, Stefano Zacchiroli wrote:
> So, question, do you want to have reports also of missing pieces of
> statically linked code snippets in that list?
On request of Steffen Joeris I'm following up here with a chat log
between we two:
(15:34:40) white: hi
(15
Hi Francesco,
* Francesco P. Lovergine <[EMAIL PROTECTED]> [2007-10-15 16:05]:
> On Mon, Oct 15, 2007 at 11:20:02AM +0200, Nico Golde wrote:
> >
> > Yes true but in most cases the code base is nearly the same
> > and we can check this without knowing ;)
> >
> > > I wonder if in those special cas
Nico Golde escreveu:
Hi Francesco,
* Francesco P. Lovergine <[EMAIL PROTECTED]> [2007-10-15 16:05]:
On Mon, Oct 15, 2007 at 11:20:02AM +0200, Nico Golde wrote:
Yes true but in most cases the code base is nearly the same
and we can check this without knowing ;)
I wonder if in t
On Mon, Oct 15, 2007 at 04:17:35PM +0200, Nico Golde wrote:
> > > > I wonder if in those special cases an Embed: tag could be
> > > > added in
> > > > debian/control to help tracking things.
> > >
> > > That would be a nice thing, also if this would include
> > > information if the code is real
Nico Golde writes ("Re: Bits from the Testing Security team"):
> Yes, dpkg for example links statically against libbz2 and zlib just to
> pick a famous example.
IMO this is a mistake, and I hope it will be reversed soon ...
Ian.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
w
Hi Ian,
* Ian Jackson <[EMAIL PROTECTED]> [2007-10-15 19:59]:
> Nico Golde writes ("Re: Bits from the Testing Security team"):
> > Yes, dpkg for example links statically against libbz2 and zlib just to
> > pick a famous example.
>
> IMO this is a mistake
On Mon, Oct 15, 2007 at 08:48:02PM +0200, Nico Golde wrote:
> Hi Ian,
> * Ian Jackson <[EMAIL PROTECTED]> [2007-10-15 19:59]:
> > Nico Golde writes ("Re: Bits from the Testing Security team"):
> > > Yes, dpkg for example links statically against libbz2 and zlib
On Mon, Oct 15, 2007 at 09:08:06PM +0200, Kurt Roeckx wrote:
> On Mon, Oct 15, 2007 at 08:48:02PM +0200, Nico Golde wrote:
> > Hi Ian,
> > * Ian Jackson <[EMAIL PROTECTED]> [2007-10-15 19:59]:
> > > Nico Golde writes ("Re: Bits from the Testing Security team&quo
On 2007-10-15, Stefano Zacchiroli <[EMAIL PROTECTED]> wrote:
>
> --MGYHOYXEY6WxJCY8
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> On Mon, Oct 15, 2007 at 11:29:16AM +0200, Stefano Zacchiroli wrote:
>> So, question, do yo
On Mon, Oct 15, 2007 at 08:40:01PM +0200, Moritz Muehlenhoff wrote:
> On 2007-10-15, Stefano Zacchiroli <[EMAIL PROTECTED]> wrote:
> >> So, question, do you want to have reports also of missing pieces of
> >> statically linked code snippets in that list?
>
> Yes, this list has always included apps
On Tue, Oct 16, 2007 at 12:20:52AM +0200, Francesco P. Lovergine wrote:
> On Mon, Oct 15, 2007 at 08:40:01PM +0200, Moritz Muehlenhoff wrote:
> > On 2007-10-15, Stefano Zacchiroli <[EMAIL PROTECTED]> wrote:
> > >> So, question, do you want to have reports also of missing pieces of
> > >> statically
On 15/10/2007 Francesco P. Lovergine wrote:
> > > I wonder if in those special cases an Embed: tag could be added
> > > in
> > > debian/control to help tracking things.
> >
> > That would be a nice thing, also if this would include
> > information if the code is really included or just
> > sta
Jonas Meurer <[EMAIL PROTECTED]> writes:
>> Well, I would consider statically linking a non embedded (i.e. a packaged)
>> library a bug... Are there known cases where this is a required condition?
>
> cryptsetup is statically linked against libgcrypt and libgpg-error, as
> both are in /usr/lib, a
On Mon, Oct 15, 2007 at 08:02:15PM -0400, Roberto C. Sánchez wrote:
> > Anyway having a way to distinguish source-embedded by statically-linked
> > would be useful. IMHO the second case is almost always an error, but
> > for special cases (static linked shell for instance).
> >
> Additionally, pac
On 16/10/2007 Reinhard Tartler wrote:
> >> Well, I would consider statically linking a non embedded (i.e. a packaged)
> >> library a bug... Are there known cases where this is a required condition?
> >
> > cryptsetup is statically linked against libgcrypt and libgpg-error, as
> > both are in /usr/
Nico Golde writes ("Re: Bits from the Testing Security team"):
> quoting Adam Heath from #debian-devel:
Thanks for passing that on.
> 2007-10-15 18:07 dpkg's configure has an option for using
> shared libraries or static linking
> 2007-10-15
On Tue, Oct 16, 2007 at 02:34:36PM +0100, Ian Jackson wrote:
> Nico Golde writes ("Re: Bits from the Testing Security team"):
> > quoting Adam Heath from #debian-devel:
>
> Thanks for passing that on.
>
> > 2007-10-15 18:07 dpkg&#
Kurt Roeckx writes ("Re: Bits from the Testing Security team"):
> Decompression is typicly something that is i/o bound, not cpu bound.
If the package is stored on disk and not in buffer cache. However, in
many cases the package will have been just downloaded and so on a big
memory m
Ian Jackson, 2007-10-17 15:00:55 +0100 :
[...]
> And if there is no good reason to have the decompressors bound in
> then having that facility wired into the code is just extra
> complexity to no useful purpose.
I thought the ability to just copy one binary (/usr/bin/dpkg) from one
box to anothe
On Wed, Oct 17, 2007 at 03:00:55PM +0100, Ian Jackson wrote:
> > > Indeed on modern multicore systems running the decompression in a
> > > separate process allows it to be run on a separate CPU, in parallel to
> > > the other processing done by dpkg proper. So it might be faster.
> > >
> > > (I ha
Roland Mas writes ("Re: Bits from the Testing Security team"):
> I thought the ability to just copy one binary (/usr/bin/dpkg) from one
> box to another and be able to use it right away was precisely the goal
> of static linking in that case.
You still get that, unless the poi
Jonas Meurer <[EMAIL PROTECTED]> writes:
> cryptsetup is at least one binary in /sbin which depends on libgcrypt
> and libgpg-error. If i got it right, that should be enough to move the
> libs to /lib, correct?
>
> Maybe I should file withlist bugs, and stop building cryptsetup
> statically as soo
On 16/01/2008 Reinhard Tartler wrote:
> Jonas Meurer <[EMAIL PROTECTED]> writes:
>
> > cryptsetup is at least one binary in /sbin which depends on libgcrypt
> > and libgpg-error. If i got it right, that should be enough to move the
> > libs to /lib, correct?
> >
> > Maybe I should file withlist bu
28 matches
Mail list logo
