[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-hackers] Re: use host PCRE...
From: |
Ivan Shmakov |
Subject: |
[Chicken-hackers] Re: use host PCRE... |
Date: |
Mon, 14 Jan 2008 22:42:21 +0600 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) |
>>>>> Vincent Manis <address@hidden> writes:
>> I guess the members of the Debian security team will get quite upset
>> would they be forced to fix the issues in both the PCRE and the
>> Chicken packages at the same time.
>> To state it once again, in case of security-related bug discovered
>> in a Debian package, it's expected that a fix (i. e., an another
>> version of the binary package) will be prepared as soon as possible.
>> It would be a waste of time to prepare both the packages for PCRE
>> and Chicken in case of a bug in fact affecting only the former.
> Packagers will do as they choose, of course, but I would see the
> inclusion of PCRE in Chicken as an implementation technique, rather
> than an external dependency. So if the regular expression facilities
> in Chicken are broken, it seems to me that it's up to Chicken to
> repair them.
Sorry for raising the issue once again, but I probably should
try to explain my point once again. I hope for your
understanding.
Could you consider, e. g., a Web server, implemented in Chicken,
and using regular expressions, say, on URLs coming within the
HTTP requests it serves?
It seems to me that should the Chicken-embedded PCRE be broken,
it would be up to the server's administrators to repair the
compromised system, wouldn't it?
The sequence of the events to follow could then be like:
* the administrators are blaming the Debian Security team for
not fixing the known PCRE bug;
* the Debian Security team then discovers that the bug was
indeed fixed, but Debian Chicken package has its own version
of PCRE, which wasn't fixed yet;
* the team then issues an NMU to fix the problem, rising a
question: is it really necessary for the Debian Chicken
package to contain its own version of PCRE;
* finally, they decide that either the package gets to link with
system's PCRE, or gets expelled from Debian, so that they
won't be fixing one bug twice.
Doesn't the above sound as a reasonable practice for an OS
distribution with at least some interest in protecting its users
from malice?
[...]
> I'm not sure that there's a clear dividing line, but somehow those
> two cases feel very different to me.