This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

Yaakov (Cygwin Ports) wrote:
I'm not sure what you mean by "linked" to rpm. While I'm aware that
popt was originally developed for rpm, it is a separate package used by
many other projects; and while the library (supposedly) hasn't had any
API breakage, surely the functionality has improved over 5+ years.

IOW, upgrading popt should have nothing to do with Cygwin's version of
rpm, although understandably you would want to test that first.

Well, popt is an odd duck. In the days of yore, the version distributed as an integrated part of the rpm source code was more up-to-date than any actual "versioned" release of the separate popt src tarballs. So there was always the question of whether to pull an outdated but official release of popt -src, or to extract it from the rpm tarball.

Then, rpm development kinda died off there for a while (and popt, with it). Now, rpm has been forked: there's the Jeff Johnson version (supported by OpenPkg/Mandriva/PLD, among others) at that's been under active development ever since Jeff left Red Hat in 2005.

Then, there's the Red Hat/Fedora version at, supported also by SuSe/Novell, which finally started getting some renewed development from those distros last December -- spurred on, no doubt, by Jeff's "official" announcement of his fork and launch of his site.

In each case, this fork also represents a fork of popt.

So, which one should be used? Obviously, that's up to the popt maintainer. If it were me, I'd have taken a wait-and-see attitude, hoping the forks would settle down (perhaps "unforking" the internal support libraries such as popt.)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]