undefined | Better HN

0 pointsCyph0n2mo ago0 comments

I am unfamiliar with the details of distro packaging. Do they commonly use the attribution to route CVEs?

Regardless, the maintenance burden remains.

0 comments

I believe some distros require un-vendoring before accepting the package.

If the code you vendored was well hidden so the distro maintainer didn't notice, perhaps the bad guys would also fail to realize you were using (for instance) libxml2, and not consider your software a target for attack.

j / k navigate · click thread line to collapse

0 pointsCyph0n2mo ago0 comments

I am unfamiliar with the details of distro packaging. Do they commonly use the attribution to route CVEs?

Regardless, the maintenance burden remains.

0 comments

BenjiWiebe2mo ago

I believe some distros require un-vendoring before accepting the package.

j / k navigate · click thread line to collapse