On Tue, Jul 19, 2005 at 12:13:05AM +0200, Tomas Fasth wrote:
[...]
> I want monotone to use the shared libraries of sqlite, popt, lua,
> etc as distributed with Debian.
Good!
Until then, I'd suggest, you let the security team know,
that your package has local versions due to above mentioned
reasoning. So they can decide, what to do, if and when
those packages have issues.
Some time after filing the bug, I finally found out some
details of the local changes, and I have some possible
ideas to get them done in other ways:
* sqlite: As I understand, there's only an addition.
- It might be put in an extra .c, so that it's only used in
monotone.
- The code using it might be rewritten to use a loop with
sqlite3_prepare
(It's not faster than sqlite3_exec, as that uses the
former.)
* lua:
As I understand it, the changes are only to remove a
function for the interpreter, that basicly does system()
(as in libc). So one can't accidentally pass filenames
with wildcards/backticks into the shell.
- Instead, one could just register a failing function by
that name into the interpreter.
* popt: I don't know.
Of course, the sqlite changes should be proposed to
upstream for inclusion.
> But it is not currently possible
> according to upstream. I should have mentioned this in more detail
> in the changelog, so thanks for pointing this out.
Yep, that would have been helpful.
Maybe better put this into a README.Debian or TODO.Debian.
(while there: /usr/share/doc/monotone/README currently does
not give any vital information to the user, really)
Elrond
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
