Changes and complaints

Posted Feb 23, 2012 19:29 UTC (Thu) by lacos (guest, #70616)
In reply to: Changes and complaints by tzafrir
Parent article: Changes and complaints

"Another question: a bug in libpng is discovered and fixed. What packages should be rebuilt?"

The base system's provider would rebuild the shared lib and push the update. All dependent base system apps would benefit.

The vendor providing the extra package (statically linked with a specific version of libpng) should monitor all libs they link statically into the app. When there's a security advisory for libpng, they should backport the fix (or grab the new upstream release if appropriate), rebuild their app with the fixed lib, and push the product via a separate channel.

I have the impression this is how Firefox works on Windows. (Except they may not link statically, just maintain their private set of DLLs.)

Changes and complaints

Posted Feb 24, 2012 9:37 UTC (Fri) by mjthayer (guest, #39183) [Link]

> The vendor providing the extra package (statically linked with a specific version of libpng) should monitor all libs they link statically into the app. When there's a security advisory for libpng, they should backport the fix (or grab the new upstream release if appropriate), rebuild their app with the fixed lib, and push the product via a separate channel.

I don't even see why they need to do this manually. Linux distributions today handle security updates almost transparently to the system user, and this could be pushed up a level so that the statically linked "extra" package is automatically rebuilt and re-downloaded by its users. Granted, it ought to be tested first, but that doesn't really happen now in the dynamically linked situation we have.