Comments regarding tensorflow_2.0.0-1_amd64.changes

M. Zhou cdluminate at gmail.com
Tue Mar 3 05:18:29 GMT 2020


On Tue, 3 Mar 2020 at 05:04, Sean Whitton <spwhitton at spwhitton.name> wrote:

> My worry about these embedded code copies is maintainability.  We do not
> have great tools for finding, nor updating, all the embedded copies of a
> library.  So each time we introduce an embedded code copy then we are
> making it harder to fix bugs in Debian.
>
> This is particular important for security fixes.  The security team
> cannot be expected to go around finding multiple copies of libraries and
> uploading all the packages.  AIUI tensorflow is expected to process
> untrusted input, so we would want it to be easy to fix security problems
> in its dependencies.
>
> Please let me know if I'm misunderstanding the nature of these
> dependencies.
>

Generally your understanding is correct. Embedded code
copies indeed cause problem when security problem such
as CVE arises.

My experience is that scientific software suffers less
from CVEs, but here I don't intend to fuss about why
scientific software may be treated a bit differently
since I have no strong proof.

Maybe I should rethink about my personal packaging
preference.
-- 
Best,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-science-maintainers/attachments/20200303/db64e3fa/attachment-0001.html>


More information about the debian-science-maintainers mailing list