Re: [Chicken-hackers] multiple issues in embedded PCRE

[Marijn Schouten (hkBst)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Cowan wrote:
> Marijn Schouten (hkBst) scripsit:
> 
>> chicken ships its own copy of libpcre which has multiple vulnerabilities
>> <http://secunia.com/advisories/27543/>.
> 
> It should definitely be upgraded, then.
> 
>> Issues such as this one are the reason why local copies of libraries are bad.
>> Currently there doesn't seem to be an option to build against the system
>> libraries though.
> 
> On non-Gentoo systems, it's extremely common for buggy and vulnerable
> libraries to remain around for years.  Since that's the normal case, we
> adapt to it by packaging pcre.  Indeed, that's the only way to guarantee
> i14y, since sufficiently old libpcre's don't even expose the same API.

Even if that is so, you don't solve any problems by adding another
installation of libpcre. It doesn't make any system libraries go away. What it
*does* do is create another point of failure.

I also don't see what good it does to interoperability. The only thing you're
doing is deciding where the breakage is by doing the upgrading of libpcre when
*you* choose.

Anyway, I'm sure this won't have convinced you, so please consider adding a
configure switch to build with system libpcre instead of the shipped one.

Thank you,

Marijn

- --
Marijn Schouten (hkBst), Gentoo Lisp project, Gentoo ML
<http://www.gentoo.org/proj/en/lisp/>, #gentoo-{lisp,ml} on FreeNode
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHOjilp/VmCx0OL2wRAi8oAJ45kuEB2Df7QpdS0Hk5PfFc1MKjdwCeIive
y4GhbreU60qWKVJYfsL9TOc=
=QMFQ
-----END PGP SIGNATURE-----