Re: Anti-bundling materials

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On 08/21, Jason Bacon wrote:
> On 8/21/21 12:33 PM, J. Lewis Muir wrote:
> > As you said, this practice "leads to security issues and other bugs that
> > are difficult to fix because the software uses an outdated API."  I'm
> > not sure what you mean by "difficult to fix because the software uses an
> > outdated API" (I would think that would actually make the software more
> > likely to keep working because it has bundled the library with the API
> > that it uses), but in general, the exact same issues, and more outlined
> > in some of the resources you posted upthread, exist for the 99% that are
> > not being addressed.
> 
> What I'm saying here is the bundled library *is* the problem since it has
> known vulnerabilities or bugs, and we can't just hack the build system to
> use an up-to-date replacement from pkgsrc since the API is different.  There
> is one such tool I won't name that bundles an outdated SSL library, which
> people are using to process private health information.

Got it.  Then to me that's just an example of one of the reasons
why it's bad to bundle.  IMO, when a project bundles, they take on
responsibility for everything they bundle.  It's their responsibility to
monitor the software they bundle for security vulnerabilities, update
what they bundle if there is a security vulnerability, and make a new
release.  That's not your problem; that's the project that bundles'
problem.

As far as I'm concerned, the security vulnerability should be reported
against the project that bundles, and they should fix it (by patching or
updating the version they bundle).  If they don't fix it, then they'll
get a reputation for not caring about security, and users can choose
whether they're OK with that.

Lewis