24 Mar
2014
24 Mar
'14
10:44 p.m.
On Mon, Mar 24, 2014 at 5:55 PM, Alan Pevec apevec@gmail.com wrote:
2014-03-24 19:14 GMT+01:00 Doug Hellmann doug.hellmann@dreamhost.com:
I tend to agree that a dependency change like this is "too big." OTOH,
do we
have any security ramifications for leaving the code as-is? Would it make sense to try to figure out which library is available and use it, rather than requiring one or the other?
That would be stable-only patch so it would be even more risky IMHO. I guess the solution here is to document security issues clearly in 2013.2.3 release notes as Adam suggested.
Cheers, Alan
OK, I can go along with that.
Doug