Hartmut Goebel <h.goe...@crazy-compilers.com> writes:
> Am 12.05.2017 um 19:39 schrieb Mark H Weaver:
>
> It would not interfere, but it could have the effect of *hiding*
> security problems due to a failure to graft properly.
> [...]
> If we create a redundant set of references in another file, then
> problems like this could go undetected for a long time.
>
> Reading you comments (and words like "hidden"), I assume you are
> referring to some compressed or otherwise unreadable data.
>
> Please don't confuse this: We are *not* talking about compressed
> files, but about plain text (or stored uncomressed within e.g. a
> zip-file).
Apologies if I've misunderstood. Earlier, you wrote:
> So I propose to add a small text file ".guix-dependencies' to all
> language's packages which do not add some kind of references
> themselves: Python, Perl, Java, etc.
What's the motivation for this proposal, if not to allow the scanner to
see references that would otherwise be obfuscated?
Mark
