Wheeler: Insecure open source software libraries?
Posted Apr 9, 2012 9:23 UTC (Mon) by khim
In reply to: Wheeler: Insecure open source software libraries?
Parent article: Wheeler: Insecure open source software libraries?
Distributions *do* push new library versions out aggressively.
No, they don't.
Specifically, they push out security fixes,
Usually, but not always. YMMV, as usual.
and they push out publically released ABI/API changes when and only when there are things in the distro themselves that depend on them.
IOW: they most definitely don't “push push new library versions out aggressively”. They do it only when it's convenient for them.
Note: I don't see this as anything “wrong” or as “something which should be fixed”. But since they don't usually push new library versions out aggressively it's often easier to bundle new version of the library with your program rather then try to persuade distributions to do that for you.
If you don't do the latter, you end up being trapped by things like the short-lived libjpeg7, which broke soname and required a massive relink only to change soname *again* and require another huge relink when you'd just finished the last one.
Yup. This may be valid justification for distributions but what about poor applications which needed/wanted to use JPEG7 when JPEG8 was not yet available?
to post comments)