Duplicates of third-party libraries

Martin P. Hellwig martin.hellwig at dcuktec.org
Tue Dec 8 02:20:58 EST 2009 

Ben Finney wrote:
<cut>
> This omits the heart of the problem: There is an extra delay between
> release and propagation of the security fix. When the third-party code
> is released with a security fix, and is available in the operating
> system, the duplicate in your application will not gain the advantage of
> that fix until you release a new version of your application *and* that
> new version makes its way onto the affected computer.
> 
> That is an additional delay, that only occurs because the hypothetical
> security bug exists in a duplicate copy of the third party code. That
> delay is entirely eradicated if your application instead uses a
> system-installed library; your application then gains the security fix
> immediately when they upgrade the system-installed library, without the
> user having to upgrade the application at all.
> 

I fully agree with your reasoning and I think you raised a valid point.

However, for me (as in YMMV), I have observed the following behaviour:
- Distribution security fixes are time wise at best on-par with my releases.
- Although some distribution (like ubuntu) offer updates on third party 
dependencies (like the Python interpreter), most of them don't (windows).
- A user is more likely to update a program he uses than a third party 
dependency he doesn't think he uses, especially if that program has an 
auto-update feature and the dependency doesn't.
- In the ideal world, a upgrade of a dependency won't break your 
program, in reality users fear upgrading dependencies because they don't 
know for sure it won't result in a dll hell type of problem.

With these observations in mind and that it gives me more control on 
what I am delivering, I made the trade off that I send platform specific 
  fully self contained (as far as possible) executables.

But you are right that it does give me the obligation to provide a way 
to the customer to get updates ASAP if there is a security issue in my 
program, whether this comes originally from a third party library or not 
is in the users perspective, rightfully so, beside the point.


-- 
MPH
http://blog.dcuktec.com
'If consumed, best digested with added seasoning to own preference.'

More information about the Python-list mailing list