LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Wheeler: Insecure open source software libraries?

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 11:03 UTC (Sun) by alankila (subscriber, #47141)
In reply to: Wheeler: Insecure open source software libraries? by rqosa
Parent article: Wheeler: Insecure open source software libraries?

I doubt this is actually very similar. Maven makes dependency management a breeze, but these libraries are versioned and people do specify the exact versions of the libraries they want in their pom.xml files.

(Log in to post comments)

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 19:00 UTC (Sun) by rqosa (subscriber, #24136) [Link]

It's not all that different. In package management systems, packages also can specify a particular version (or minimum/maximum version) to depend on.

(Though it's true that often they don't actually do this — likely because it's becoming common for library packages to include an "API major version number" right in the package name, e.g. "freetype2" or "kdelibs3" or "allegro4". This way allows for installing multiple major versions of a library in parallel, and also ensures that the most recent API-compatible versions of all dependencies for all installed apps are present.)

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 2:03 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>It's not all that different. In package management systems, packages also can specify a particular version (or minimum/maximum version) to depend on.

In Maven you _must_ specify a particular version (or version range). Your POM won't be valid without it.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 8:08 UTC (Mon) by micka (subscriber, #38720) [Link]

It's possible to specify a version range for a dependecy, like [1.0,1.5] or even [5.6,], though that's not exactly common practice.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 8:12 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

I've seen it used with stuff like log4j or Spring where binary compatibility is kept between major versions.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds