Re: Reducing the attack surface caused by Berkeley DB...

[Lionel Debroux <lionel_debroux@yahoo.fr>]

Hi Adrian,

On 1/27/18 6:27 AM, Adrian Bunk wrote:
> On Fri, Jan 26, 2018 at 11:49:41PM +0100, Lionel Debroux wrote:
> > ...
> > On 1/26/18 11:39 AM, David Kalnischkies wrote:
> > ...
> > > Finding someone performing the daunting task of actually switching
> > > code, documentation and existing databases over on the other hand…
> > > I at least don't see me enthusiastically raising my arm crying
> > > "let me, let me, …".
> > Heh. Neither do I see myself for such a task :)
> > ...
>
> Open source development does not work by random people on the internet
> telling volunteers in a project what they should do.
I received such requests over the past 15 years I've been contributing
to, and later leading the maintenance and evolution of, less-used open
source software.

But you know the breadth of the task, and therefore the time investment
it requires; it's therefore unsurprising that people like David and
myself (as a Debian user for over a decade, but not really familiar with
Debian procedures) aren't eager to subscribe to the tasks of modifying
core aspects of dozens of foreign code bases, and the corresponding
docs, or contacting significant amounts of packagers and upstreams ;)

Thanks for the heads-up about the potential attitude problem, though.

> Guillem already pointed at a mail thread with the same suggestion
> on this same mailing list 4 years ago.
>
> There doesn't seem to be any disagreement on the general idea,
> the only thing missing is a person doing the work on getting
> all Debian packages ported away from Berkeley DB while ensuring
> that users don't lose data due to that.[1]
Alright.
Before we can envision reaching such an ambitious, longer-term goal,
we'll collectively have to work on small, achievable goals and tasks...
and whoever does that and follows up on it (yes, I shall spend some time
on the matter) needs help from Debian developers more familiar with
procedures, at the very least :)

For instance, from another sub-thread: for Buster, would it be feasible
to smoothly split the libdb5.3-dependent binaries from libpam-modules,
apt-utils, libaprutil1 (popcon by_inst #423), the Perl and Python
distributions to new binary packages ?

> Since this is something that is important for you, this is a great
> opportunity for you to get involved in Debian development.
Indeed. In a way, I already started, by spending time writing (partially
redundant, in this case) e-mails about foreign software, rather than
working on code bases more familiar to me, but which have _far_ fewer
users than BDB or earlier and more privately, libmodplug.

> If it is not important enough for you to spend your time on it,
> then 2022 is the estimated date when the next person will start
> a "remove Berkeley DB" discussion on this mailing list...  ;-)
Understood, let's do a bit better than that ;)


Thanks,
Lionel.


> [1] it is not clear whether there will have to be one more
>     Debian release with Berkeley DB just for upgrades
If there's such a release, I'm afraid Buster won't be it: in less than a
year, the task of providing an upgrade path and deprecating BDB from
every upstream, or removing the corresponding packages from the archive,
looks way too large...