13 Mar 2012 00:20
Re: Licence problem in bundled library
Bernhard Wymann <berniw <at> bluewin.ch>
2012-03-12 23:20:39 GMT
2012-03-12 23:20:39 GMT
Hi > Le lundi 12 mars 2012 18:07:58, vous avez écrit : >> - Some distributors would like to link to the expat/XXXlibraries they >> have anyway in their distro, but for the Windows users it is more >> comfortable to have the source included in the tree, so I leave it there >> for now. Distributors can patch their builds easily if they like. They >> prefer this, because they think they can then replace a broken lib once >> in the distro and this makes maintenance easier, but they do not account >> the risk (basically you change then all depending application without >> any QA or serious test, great...). > > It is not replacing a broken lib, just patching it is enough for security. > >> Regarding security problems the situation with a "built in" lib is not >> that bad as well, because as long you do not use an affected part of the >> library, it just does not matter. > > Sorry, I disagree : I understand you don't this is important for a game. But > for a networked application like TORCS, it matters. TORCS is not yet a networked application(Continue reading)No reason to sorry, multiple viewpoints are useful. I know I compacted the argument very much, but I am not in the mood to write a book about it. Short: - I agree, a security fix TRIES just to fix the issue, - BUT semantically this is impossible, because the calls are in the usual languages/API's not formally defined, so the implementation is the definition, and if the definition allows a vulnerability it is
RSS Feed