Dear security team, as suggested by Sam I ask you to comment on the following issue.
I want to statically link my package aide to libcurl, which is statically linked for security reasons. Since krb5 does not support static libraries any longer (#439039), the static library of libcurl is now useless (#495163) and therefor cannot be used by the aide package. The options so far proposed in the discussion are described in the quoted message below. I for one would really dislike to drop the static aide binary and think a static curl library without krb support is better than the current one, which is not usable at all. What is your opinion? Thanks Hannes On Wed, May 15, 2013 at 08:06:23AM -0400, Sam Hartman wrote: > My recommendation is that we talk to the security team. > The biggest disadvantage of all these static libs running around is the > number of packages they need to do security updates for. > We could ask them about whether it's better to have: > > 1) no static aide > > 2) a static libcurl with less functionality, so aide needs to get > libcurl security updates but not krb5 security updates > > 3) A static aide with libcurl and somewhat crippled Kerberos meaning > that aide needs to get libcurl and krb5 updates. > In addition libcurl might potentially need to get rebuilt on Kerberos > security updates. > > I'm happy to go along with whatever they are comfortable with. > I'd stick the static libs probably in a libkrb5-static package. > > --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
