[plt-scheme] plt-scheme contains internal copies of zlib, libpng and jpeg

From: Marijn Schouten (hkBst) (hkBst at gentoo.org)
Date: Sun Mar 22 19:34:57 EDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

plt-scheme contains internal copies of zlib, libpng and jpeg (under src/wxcommon).

This so-called bundling is a concern for distributions as it makes it easy to
not notice all vulnerable copies of such libraries when vulnerabilities are
reported causing unpatched vulnerable copies to persist leaving the user open to
attack. Ideally no bundled copies exist in other packages such that it is clear
which versions of a particular library exist in the package repository of the
distribution. These explicit versions of the libraries can then be patched and
the holes plugged.

Distributions will usually know before you will about vulnerabilities as they
have people on mailing lists where such issues are reported. My guess is that
you are not, putting all your users at risk.

Please remove these bundled libraries or at least provide a way to use the
system libraries.

Marijn

PS One of our developers has ranted about the issue of bundling, so for the
interested:
http://blog.flameeyes.eu/2009/01/02/bundling-libraries-for-despair-and-insecurity

- --
Gods do not want you to think, lest they lose existence.
Religions do not want you to think, lest they lose power.

Marijn Schouten (hkBst), Gentoo Lisp project, Gentoo ML
<http://www.gentoo.org/proj/en/lisp/>, #gentoo-{lisp,ml} on FreeNode
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknGyyEACgkQp/VmCx0OL2xRfQCZAeafH+PyWacnyPt10uszRNkc
XWMAn2Z5bB8EfHkobaG0uwfBuYpQKrqo
=AAZb
-----END PGP SIGNATURE-----


Posted on the users mailing list.