Those are not problems which are specific to linking to/using particular versions of libraries. How do you ensure that security updates of commands and configuration files happen? It's not a new or different problem. One can choose to use the default version, which by implication will be the latest and greatest version that is installed on the machine. And your program/package will get updates as they are installed. If you use a particular version of the library: - a local admin can choose to accept the risk - a package maintainer can label the package risky, and/or delete/disable/deprecate the package - a program maintainer can update the code to use the new version One can't abdicate responsibilty for security by assuming that your binary will run with a secure version of a library. Cheers John On Fri, 2017/11/03 01:09:47PM -0400, Dhaval Giani <dhaval.giani@gmail.com> wrote: | How do you ensure security updates happen everywhere, or that you are | not linking to an insecure version? What about old software which is | no longer maintained? Also work is not duplicated? | | Dhaval