On 9/18/19 2:04 PM, Alec Warner wrote: > > I'm actually pretty fine with this wording, upstream has said not to > dynamically link in these use cases. >
Respectfully, the fact that you're OK with it doesn't make it not BS. It reads like "there's no way we can fix this!" when really it means "we don't feel like doing this properly!" Upstreams suggest dumb stuff all the time. We fix it. That's, like, what we do here. > > So if the package *maintainer* bumps each package every time it, or a > dep has a security issue; then updating will work fine. > Simply not true. If there's a security problem in a dependency and if you bump the packages that depend on it... nothing happens. Everyone reinstalls the vulnerable dependency, because the vulnerable dependency is bundled in every single one of those packages.
