Opened 13 years ago
Closed 13 years ago
#2781 closed enhancement (fixed)
Consider adding Popt to LFS
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | low | Milestone: | 6.8 |
| Component: | Book | Version: | SVN |
| Severity: | minor | Keywords: | |
| Cc: |
Description
The Pkg-Config package uses Popt. It will use an included version or a version already installed on the system. It might be wise to put Popt into the book in case there are vulnerabilities discovered in Popt and a new release is created, yet Pkg-Config doesn't make a new release so the vulnerability would exist in Pkg-Config.
Just a thought. Close the ticket if it is overkill.
Change History (5)
follow-up: 3 comment:1 by , 13 years ago
comment:2 by , 13 years ago
Hi Matt,
Actually, the GLib-2 is only for Win32 platforms, which I hope we don't support. Linux uses the internal, or external Glib-1 package, which is always going to be the same as it is not maintained any longer. No worries about version updates there.
So, really only Popt is the one to think about. In my build, I installed Popt before pkg-config, simply because it is so easy (CMMI), and it eliminates any possible vulnerabilities down the road.
As I mentioned, just close the ticket if the suggestion is overkill.
comment:3 by , 13 years ago
Replying to matthew@…:
Maybe an easier to manage approach here would be to add a note to those packages that bundle some of their dependencies mentioning that the reader may want to rebuild them after installing the relevant BLFS packages?
I like that idea Matt. It's a general solution that doesn't complicate lfs, yet gives the user useful information. We would need to add this to whatever packages are affected and we might miss something the first time around, but that's not a show stopper.
comment:4 by , 13 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
I will add a note to Pkg-Config about the potential of building popt from BLFS first.
comment:5 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Added a note about popt in revision 9451.
Hi Randy,
Pkg-Config also includes a copy of Glib, which could also be prone to vulnerabilities too. Unfortunately, to fully test Glib-2.26.0, requires at least 12 dependencies (I still haven't gotten a full passing testsuite yet).
Things get even more "interesting" for another LFS package, Gettext, which has optional dependencies on libxml2, java, fortran...
So, in short, whilst I don't have an objection against adding popt per-se, it has the potential to open up the floodgates for further package additions.
Maybe an easier to manage approach here would be to add a note to those packages that bundle some of their dependencies mentioning that the reader may want to rebuild them after installing the relevant BLFS packages?
Thanks,
Matt.