-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Cowan wrote:
Marijn Schouten (hkBst) scripsit:
chicken ships its own copy of libpcre which has multiple
vulnerabilities
<http://secunia.com/advisories/27543/>.
It should definitely be upgraded, then.
Issues such as this one are the reason why local copies of
libraries are bad.
Currently there doesn't seem to be an option to build against the
system
libraries though.
On non-Gentoo systems, it's extremely common for buggy and vulnerable
libraries to remain around for years. Since that's the normal
case, we
adapt to it by packaging pcre. Indeed, that's the only way to
guarantee
i14y, since sufficiently old libpcre's don't even expose the same
API.
Even if that is so, you don't solve any problems by adding another
installation of libpcre. It doesn't make any system libraries go
away. What it
*does* do is create another point of failure.
Anyway, I'm sure this won't have convinced you, so please consider
adding a
configure switch to build with system libpcre instead of the
shipped one.
Thank you,
Marijn
- --
Marijn Schouten (hkBst), Gentoo Lisp project, Gentoo ML
<http://www.gentoo.org/proj/en/lisp/>, #gentoo-{lisp,ml} on FreeNode
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHOjilp/VmCx0OL2wRAi8oAJ45kuEB2Df7QpdS0Hk5PfFc1MKjdwCeIive
y4GhbreU60qWKVJYfsL9TOc=
=QMFQ
-----END PGP SIGNATURE-----
_______________________________________________
Chicken-hackers mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/chicken-hackers