Hi,
indeed. Never bundle a library. Never. Never. Never.
PCRE had some severe security issues recently and I assume that these are not fixed in the privoxy release tarball. If we fix the issues in pcre it will automatically be fixed in privoxy too when dynamically linked. If pcre is statically linked we usually wouldn't know that a vulnerable version of pcre is in there and even if we would this would create extra work to fix the same issue there, too.
So just don't do it. They should actually remove the bundled version upstream.
-Michael
On Mon, 2016-01-25 at 21:25 +0100, Matthias Fischer wrote:
Hi,
I got some short questions about using the feature "FEATURE_DYNAMIC_PCRE" in privoxy and would be grateful if someone could give me some shorts hint or explanations.
In the past this feature was always disabled through the configure-option "--disable-dynamic-pcre". The only explanation 'privoxy' gives is the 'configure --help' text:
"--disable-dynamic-pcre Use the built-in, static pcre, even if libpcre is available".
The 'privoxy' status tells me: "FEATURE_DYNAMIC_PCRE => Dynamically link to the PCRE library. This is set automatically by ./configure if you do not have libpcre installed. Dynamically linking to an external libpcre is recommended as the one that is distributed with Privoxy itself is outdated and lacks various features and bug-fixes you may be interested in."
So for testing purposes - being curious - I enabled this feature by deleting "--disable-dynamic-pcre" from 'privoxy'-lfs-file. Everything was built, everything seems to be running fine. But although I searched for a better statement what this option really does I didn't find some and now I would like to know what are the dis/advantages of this option.
Disable or enable dynamic PCRE - what is better for 'privoxy' and IPFire? And what does it do? Some short statements or hints would be sufficient!
Sorry, if this seems to be some dumb question, but I want to be sure...
Best, Matthias