[AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS

Ludovic Brenta ludovic at ludovic-brenta.org
Mon Nov 9 13:01:59 CET 2009

Previous message: [AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS
Next message: [AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Emmanuel Briot writes:
>> PS. As a long-term enhancement request, I ask that you NOT bundle ANY
>> software with AWS or any other software, i.e. remove any bundled
>> software from Subversion and, instead, add instructions to the README or
>> INSTALL files explaining the dependencies.  Today's security
>> vulnerabilities are just the last in a long list of problems caused by
>> software bundled in AdaCore's source trees.  Previous problems included
>> copyright infringements (see the discussions we had on
>> polyorb-users at l.adacore.com a couple months ago) and at least one severe
>> bug in GPS (see http://bugs.debian.org/297980 - two months elapsed time
>> and 3 volunteers spending dozens of hours investigating).
> 
> Unfortunately, your requirements are not compatible with what most users
> except. You are in a special position as a package maintainer, but most
> people (and especially on non-linux platforms) except easy installation.
> So I think the contents of the packages will likely not change

But the contents of the package *must* change one way or another; at
the very least to correct the security vulnerabilities and critical bugs.

The question boils down to: do you (AdaCore) want to be a systems
integrator
or not?  If the answer is "yes" then you should accept the additional
workload:

- document where your software ends and where the third-party sources begin
- upgrade early, upgrade often
- do not fork
- if you must fork, send your patches upstream and then merge back

I understand that you may want to do that for GNAT GPL Edition, which is
a source bundle.  The Subversion repository is a different story; people
using the Subversion repository expect to build from source anyway.  If you
really want to replicate third-party software in your Subversion
repository,
I suggest that at least you move it to top-level directories outside of
your own software.  For starters, this would make it easier for you to
merge from upstream (e.g. cron jobs + tailor).  For another, it would make
it easier for you to audit the third-party software for license compliance
and bugs.

-- 
Ludovic Brenta.

Previous message: [AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS
Next message: [AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the AWS mailing list