Hacker News new | past | comments | ask | show | jobs | submit login

While I welcome the move to a Nix-like transactional package management system, the notion of "bundle everything in your app" leaves me extremely queasy. How are you going to guarantee that individual application developers update insecure versions of bundled third-party libraries in a timely manner?



Indeed. Somewhat related, but here's Debian's list of embedded code copies:

https://anonscm.debian.org/viewvc/secure-testing/data/embedd...

Lots of these have colourful/active security histories (esp. poppler, zlib, pcre, libpng...)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: