Moving features from HEAD to testing

Archaic archaic at indy.rr.com
Sat May 15 23:10:18 PDT 2004


On Sat, May 15, 2004 at 07:34:11PM -0700, Jeremy Utley wrote:
> 
> OK, picture this scenario.  LFS user installs bash, with it's internal
> readline library (which links in statically).  Then later on, installs
> the standalone readline library for BLFS applications.  Few months pass by
> and there's some major security problem found in the readline library.  User
> reinstalls a new readline with the problem fixed, BUT, bash still has the
> vulnerability linked in static.  So, this user has to reinstall 2 packages.

No biggie. How much will he have to recompile when a zlib vulnerability
happens (and this I'm sure you do remember). If this is the strongest
reason for including it, it's weak at best. This is a hypothetical only.
Besides, the 2 readlines aren't identical, which can even limit more the
likelihood of this hypothetical.

> Second user, installed readline during chapter 6, and linked Bash to the
> external readline (shared).  Same readline vulnerability, but this user simply
> needs to reinstally the readline lib, instead of both.  

As with zlib, unless we hunt through every Makefile we cannot guarantee
that a bin that links dynamically is only linked dynamically. We've seen
both before.

> The same could be said for a new readline that simply added additional
> functionality - it's similar to the reason we use a system-installed zlib for
> XFree86 instead of the XFree86 internal zlib.

We need zlib in LFS, therefore if you already *need* it, you might as
well let other packages use it, especially in the case you cite in which
the bundled zlib is at best as new as the system zlib, but most likely
older.

Either way, there hasn't been any strong reason *for* inclusion and
since the book has worked fine for years without it, the burden of proof
rests including it. Just notice of the few people who weighed in about
this that there is no strong consensus. Neccessity and functionality to
level of adding another package just haven't been shown.

-- 
Archaic

The difference between death and taxes is death doesn't get worse every
time Congress meets

- Will Rogers




More information about the lfs-dev mailing list