If #xz were a Go or Rust dependency, you wouldnβt have a single copy of xz library on your system, but many, #xzbackdoor hidden in every executable that uses it. Distros would have to rebuild all packages using that lib (not just the lib itself), which could take days or weeks, and users would have to update them all, downloading tens or hundreds of megabytes.
If you install binaries directly from vendors/devs, itβs even worse β you wouldnβt even know which ones are affected and youβd (1/3)
Luca Sironi likes this.
reshared this
Jakub Jirutka πͺπΊπΊπ¦
in reply to Jakub Jirutka πͺπΊπΊπ¦ • • •be at the mercy of the devs to provide the update. Not a group of active maintainers behind the distro, but many individual devs, some of whom lack the time or motivation and sustainability. The same goes for Docker containers, Flatpak and similar!
This is called static linking or bundling. Instead of rebuilding and updating a single shared library, you have to rebuild and update every single thing that links/bundles it. In the case of static linking, you usually canβt even tell which (2/3)
reshared this
Elena ``of Valhalla'' e coucouf β reshared this.
Jakub Jirutka πͺπΊπΊπ¦
in reply to Jakub Jirutka πͺπΊπΊπ¦ • • •libraries itβs linked with!
Now do you see the value of #Linux distros and dynamic linking? Please, stop this insane βsingle binaryβ mantra and work with distros, not against them.
If #rustlang wants to replace C, devs need to acknowledge this and start providing dynamically linkable libraries with stable ABI. (3/3)
reshared this
Elena ``of Valhalla'' e coucouf β reshared this.
Jakub Jirutka πͺπΊπΊπ¦
in reply to Jakub Jirutka πͺπΊπΊπ¦ • • •cvedetails.com/vulnerability-lβ¦
Golang GO : Security vulnerabilities, CVEs
www.cvedetails.comAvebury Rosetta :transistor: ππ΄π©
in reply to Jakub Jirutka πͺπΊπΊπ¦ • • •federico :debian:
in reply to Avebury Rosetta :transistor: ππ΄π© • • •you mean a huge blob? That's a docker image.
federico :debian:
in reply to Jakub Jirutka πͺπΊπΊπ¦ • • •Elena ``of Valhalla''
Unknown parent • •@Aleksandra Fedorova :fedora: @ITwrx @Neal Gompa (γγΌγ«γ»γ΄γ³γ) :fedora: @kravietz π¦ @Jakub Jirutka πͺπΊπΊπ¦ and even for single person projects, having a packager in each main distribution that isn't the upstream developer is a big plus, as it provides a minimum of oversight and redundancy.
Not much, especially when said maintainer(s) are overworked and demoralized, but still better than nothing.
Aleksandra Fedorova :fedora:
in reply to Elena ``of Valhalla'' • • •@valhalla
Yes, that is an important point too.
When we say co-maintainer, we often implicitly assume that it should be an equally or comparably skilled person doing the same tasks.
And then we stop at a thought on how hard it is to find a duplicate.
While it doesn't have to be.
There is plenty of room for a developer to collaborate with a tester, or a packager or a build engineer, or a documentation writer.
It often can be healthier too.
@ITwrx @Conan_Kudo @kravietz @jakub
Elena ``of Valhalla'' likes this.