[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] Linking monotone with Debian's official sqlite shar
|
From: |
Nathaniel Smith |
|
Subject: |
Re: [Monotone-devel] Linking monotone with Debian's official sqlite shared library |
|
Date: |
Mon, 25 Jul 2005 19:31:11 -0700 |
|
User-agent: |
Mutt/1.5.9i |
On Mon, Jul 25, 2005 at 10:12:55AM -0300, Alex Queiroz wrote:
> These are very different libraries. The Lua libraries are almost
> meant to be customised. Regarding SQLite, I agree it'd be better to
> use the Debian libraries, to keep monotone automatically more
> up-to-date and secure.
-- "up-to-date" has no value here; users will not magically get more
features because a utility library has been upgraded.
-- "secure" is theoretically possible, but my imagination fails to
come up with any way in which an sqlite bug could create a real
security hole in monotone. Perhaps if you're letting other people
write to your home directory, then they could munge a database to
trigger a buffer overflow or something. But if they're writing to
your home directory, you have probably lost already.
(The best I can think of is if, because initial pulls are slow,
you download a pre-pulled "starter database", arranged by a
malicious person who has found one of these hyptothetical bugs.)
-- in the mean time, bundling it allowed us to fix a real,
user-reported bug, which was preventing needed functionality from
working.
Anyway, this discussion doesn't seem to be going much of anywhere; I
think we've stated our reasons and will let that stand unless someone
has something new to contribute...
-- Nathaniel
--
So let us espouse a less contested notion of truth and falsehood, even
if it is philosophically debatable (if we listen to philosophers, we
must debate everything, and there would be no end to the discussion).
-- Serendipities, Umberto Eco