Hello. Le mar. 14 juin 2022 à 17:21, Gary Gregory <garydgreg...@gmail.com> a écrit : > > That would make it pretty painful for users IMO
The price to pay for playing outside the FLOSS ecosystem. > and we'd need to make > sure users are pointed to a "safe" and authentic place to get the > binaries in addition to the jars. No, we don't need to be sure; that's the point about Commons not being responsible to remediate a security issue in source code that doesn't come from "here". > > We can leave it up to the RM as to what to do on a per release basis I > suppose, but I would not like us to build code and extra gadgetry to > support this. The idea was to reduce the burden. > > I did the previous release and would do the next one if no one else > can. You must use macOs hardware to legally produce macOS binaries and > you must use a legal copy of Windows for the Windows binary, that's > the only hurdle I think. Of course, that is the problem. > Linux/Ubuntu is free and anyone can do that > with Docker. Or without it. Gilles > > Gary > > On Tue, Jun 14, 2022 at 9:21 AM Gilles Sadowski <gillese...@gmail.com> wrote: > > > > Hello. > > > > Given the trouble it entails and the very few people who can or want > > to be involved in (the maintenance of) cross-compilation, wouldn't it > > be safer to make all binaries optional? > > It would be the application developers' responsibility to drop them to > > a location where the [Crypto] wrapper can find them. > > > > From a security POV, it seems (?) that this approach could dramatically > > lower (or even remove) Commons' responsibility (and ensuing burden) > > in case of vulnerabilities in the native code(s). > > > > Regards, > > Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
