|
|
|
|
|
|
by racingmars
812 days ago
|
|
|
> If you're maintaining one of the most widely used packages that is directly linked to by libsystemd and is included by pretty much every Linux distro as part of the base system? Then maybe some measure of paranoia is justified. But whose problem is that? systemd chose to link against liblzma, not the other way around. I doubt the xz maintainer(s) make money off of the project, and I'm assuming it's a spare-time/side-project type thing. Why should the fact that the library is included in every distro and is a dependency of systemd affect the xz maintainers' obligations? The leader of systemd has been variously employed by RedHat and Microsoft... if they're choosing to pull in an external dependency for systemd and then making money off of selling their Linux distros/cloud services, it would seem they're the ones that could afford to take on the burden of reviewing everything with a fine-toothed comb, not the xz maintaners. |
|
|