Opened 14 years ago
Closed 14 years ago
#2070 closed Bug (fixed)
allow system copy of libevent to be used
Reported by: | ssuominen | Owned by: | charles |
---|---|---|---|
Priority: | Normal | Milestone: | 1.70 |
Component: | Transmission | Version: | 1.61 |
Severity: | Normal | Keywords: | patch-needed |
Cc: |
Description
Transmission 1.61 bundles a copy of libevent, version 1.4.10 with a small change if I'm not mistaken. It doesn't allow the user to select a library installed in system instead, which is a potential security issue for distribution packages and a small overhead.
Please provide a way to use the system library.
Change History (8)
comment:1 Changed 14 years ago by charles
- Keywords patch-needed added
- Owner set to charles
- Status changed from new to assigned
- Version changed from 1.60+ to 1.61
comment:2 Changed 14 years ago by charles
- Summary changed from Transmission 1.61 (and previous releases) bundles a copy of dev-libs/libevent to allow system copy of libevent to be used
comment:3 Changed 14 years ago by ssuominen
I meant by "potential security issue" that if the bundled library gets one, we need to track down every application in our Portage tree (thousands of applications) to find out where it's used, instead of patching it only in the system lib. Please try to see the issue from packagers point of view.
I'll try to hack up a patch for this in coming days.
comment:4 Changed 14 years ago by charles
ssuominen: any progress on this?
comment:5 Changed 14 years ago by charles
ssuominen: ping
comment:6 Changed 14 years ago by charles
ssuominen: any news?
comment:7 Changed 14 years ago by charles
ssuominen: the reason I keep pinging is that 1.70 is upcoming, and I'd like to get your patch into that release. Can you have the patch ready in the next couple of days?
comment:8 Changed 14 years ago by charles
- Milestone changed from None Set to 1.70
- Resolution set to fixed
- Status changed from assigned to closed
I think probably we should add an option in configure.in to use the system libraries instead of the ones in third-party. If want to cook up a patch for this, I'd likely put it into the next release.
In the meantime, I'm a little suspicious of the "potential security issue" language here, especially since you used the same boilerplate text in #2070. Is there an actual advisory you're referring to?