The problem with shipping 3rd party libraries with your product
By user13342178 on Jun 18, 2007
The latest releases of StarOffice and OpenOffice.org contain 2 security fixes.
102967 reminds me that we should have a closer look on what 3rd party libraries we ship with the next major versions.
There are 3 reasons for shipping these libraries with SO/OOo, instead of making them a system requirement:
1) It's convenient for the user. Just download and install the productivity suite, don't care about additional downloads and installations.
2) Modified versions. In some cases SO/OOo ship
modified versions of 3rd party libraries, because we made some bug
fixes which are not available in the official versions from that
library right now.
3) No problems with ABI compatibility. Sometimes 3rd party libraries
change in a way that they become incompatible with current versions of
SO/OOo. Sometimes even in a way that the users doesn't recognize it
immediately (application still starts), but some things behave
differently (and wrong).
This happens for example when introducing new enum values in the middle of existing values. An example for this can be found in the FreeType library, which was responsible for one of the security vulnerabilities.
But in general, there should only be one copy of each library on a system, if possible. Programs shouldn't install "private copies".
Item #5 is exactly what we are talking about here...