Comments regarding tensorflow_2.0.0-1_amd64.changes
M. Zhou
cdluminate at gmail.com
Tue Mar 3 05:18:29 GMT 2020
On Tue, 3 Mar 2020 at 05:04, Sean Whitton <spwhitton at spwhitton.name> wrote:
> My worry about these embedded code copies is maintainability. We do not
> have great tools for finding, nor updating, all the embedded copies of a
> library. So each time we introduce an embedded code copy then we are
> making it harder to fix bugs in Debian.
>
> This is particular important for security fixes. The security team
> cannot be expected to go around finding multiple copies of libraries and
> uploading all the packages. AIUI tensorflow is expected to process
> untrusted input, so we would want it to be easy to fix security problems
> in its dependencies.
>
> Please let me know if I'm misunderstanding the nature of these
> dependencies.
>
Generally your understanding is correct. Embedded code
copies indeed cause problem when security problem such
as CVE arises.
My experience is that scientific software suffers less
from CVEs, but here I don't intend to fuss about why
scientific software may be treated a bit differently
since I have no strong proof.
Maybe I should rethink about my personal packaging
preference.
--
Best,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-science-maintainers/attachments/20200303/db64e3fa/attachment-0001.html>
More information about the debian-science-maintainers
mailing list