lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 5 Nov 2009 03:52:35 +0100 (CET)
From:	Mikulas Patocka <>
cc:	Martin Nybo Andersen <>,
	kevin granade <>,
	Alan Cox <>,
	"Ryan C. Gordon" <>,
	Måns Rullgård <>,
Subject: Re: package managers [was: FatELF patches...]

On Wed, 4 Nov 2009, wrote:

> On Thu, 05 Nov 2009 00:55:53 +0100, Mikulas Patocka said:
> > In some situations, the package manager is even more dangerous than manual 
> > install. For example, if you are manually installing new alpha-quality 
> > version of mplayer, and it is buggy, you end up with a working system with 
> > broken mplayer. If you install alpha-quality version from some package 
> > repository, it may need experimental version of libfoo, that needs 
> > experimental version of libfee, that needs experimental version of glibc, 
> > that contains a bug 
> Total bullshit.  You know *damned* well that if you were installing that 
> alpha version of mplayer by hand, and it needed experimental libfoo, 
> you'd go and build libfoo by hand, and then build the experimental 
> libfee by hand, and then shoehorn in that glibc by hand, and bricked 
> your system anyhow.

No, if I compile alpha version of mplayer by hand, it compiles and links 
against whatever libraries I have on my system. If I pull it out of some 
"testing" repository, it is already compiled and linked against libraries 
in the same "testing" repository and it will load the system with crap.

That is the unfortunate reality of not having a binary standard :-(

> Or if you're arguing "you'd give up after seeing it needed an experimental
> libfoo", I'll counter "you'd hopefully think twice if yum said it was
> installing a experimental mplayer, and dragging in a whole chain of pre-reqs".

... or use --disable-libfoo if it insists on newer version and I don't 
want to upgrade it. Or maybe the configure scripts detects on its own that 
the library is too old will compile without new features. Or it uses 
libfoo shipped with the sources.

But if the binary in the package is compiled with --enable-libfoo, there 
is no other way. It forces libfoo upgrade.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists