chicken-hackers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-hackers] Re: use host PCRE...


From: Ivan Shmakov
Subject: [Chicken-hackers] Re: use host PCRE...
Date: Mon, 14 Jan 2008 22:42:21 +0600
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

>>>>> Vincent Manis <address@hidden> writes:

 >> I guess the members of the Debian security team will get quite upset
 >> would they be forced to fix the issues in both the PCRE and the
 >> Chicken packages at the same time.

 >> To state it once again, in case of security-related bug discovered
 >> in a Debian package, it's expected that a fix (i. e., an another
 >> version of the binary package) will be prepared as soon as possible.
 >> It would be a waste of time to prepare both the packages for PCRE
 >> and Chicken in case of a bug in fact affecting only the former.

 > Packagers will do as they choose, of course, but I would see the
 > inclusion of PCRE in Chicken as an implementation technique, rather
 > than an external dependency. So if the regular expression facilities
 > in Chicken are broken, it seems to me that it's up to Chicken to
 > repair them.

        Sorry for raising the issue once again, but I probably should
        try to explain my point once again.  I hope for your
        understanding.

        Could you consider, e. g., a Web server, implemented in Chicken,
        and using regular expressions, say, on URLs coming within the
        HTTP requests it serves?

        It seems to me that should the Chicken-embedded PCRE be broken,
        it would be up to the server's administrators to repair the
        compromised system, wouldn't it?

        The sequence of the events to follow could then be like:

        * the administrators are blaming the Debian Security team for
          not fixing the known PCRE bug;

        * the Debian Security team then discovers that the bug was
          indeed fixed, but Debian Chicken package has its own version
          of PCRE, which wasn't fixed yet;

        * the team then issues an NMU to fix the problem, rising a
          question: is it really necessary for the Debian Chicken
          package to contain its own version of PCRE;

        * finally, they decide that either the package gets to link with
          system's PCRE, or gets expelled from Debian, so that they
          won't be fixing one bug twice.

        Doesn't the above sound as a reasonable practice for an OS
        distribution with at least some interest in protecting its users
        from malice?

[...]

 > I'm not sure that there's a clear dividing line, but somehow those
 > two cases feel very different to me.





reply via email to

[Prev in Thread] Current Thread [Next in Thread]