mp3 update
Reece Dunn
msclrhd at googlemail.com
Thu Aug 13 14:03:02 CDT 2009
2009/8/13 Juan Lang <juan.lang at gmail.com>:
>> The reason you'd want to use dynamic linking is to ease security fix
>> updates. If a flaw is found in libmpg123 that allows remote code
>> execution (for example), any package that has its own version, or that
>> statically links it into the program, needs updating, rebuilding and
>> repackaging.
>
> Again, at what cost? We have a patch proposed that fixes a real flaw
> (mp3 sounds bad in Wine.) You all are asking Aric to do more do
> address flaws that are inconsequential, in my opinion (it takes more
> disk space than it needs to) or only theoretical (the new code might
> contain as yet unknown vulnerabilities.)
>
> As always, patches talk louder than emails.
I was not suggesting that libmpg123 should be made dynamic.
You asked what the rationale was - citing disk space as the only
reason. I was saying that disk space is not the only valid reason for
wanting to do this.
But there is a reason for using our own version -- the HeapAlloc/Free
and Wine tracing changes that Aric mentioned in the initial email. So
for that reason, it won't be practical to dynamically link.
At the end of the day, it all boils down to this: what is the simplest
strategy for maintaining the code and updating it in the future.
- Reece
More information about the wine-devel
mailing list