Re: Limited security support for Go/Rust? Re ssh3

To: debian-devel@lists.debian.org
Subject: Re: Limited security support for Go/Rust? Re ssh3
From: Adam Borowski <kilobyte@angband.pl>
Date: Fri, 19 Jan 2024 12:43:37 +0100
Message-id: <[🔎] 20240119114337.GA1135979@angband.pl>
In-reply-to: <[🔎] 20240115091717.tl2rif5mfnz7bwvp@shell.thinkmo.de>
References: <87cyup5mix.fsf@kaka.sjd.se> <1fe67b9f-f332-4239-9f96-3d780c0e8106@debian.org> <ZZARdHGmUlUZZa0o@riva.ucam.org> <87cyup5mix.fsf@kaka.sjd.se> <a9c550619c1944fe6db7ea33b27774e0f8d75e6e.camel@posteo.de> <[🔎] 874jfgtffd.fsf_-_@kaka.sjd.se> <[🔎] 20240114111729.rhi7eekkd3h5fpjg@shell.thinkmo.de> <[🔎] 87v87wrl86.fsf@kaka.sjd.se> <[🔎] 20240115091717.tl2rif5mfnz7bwvp@shell.thinkmo.de>

On Mon, Jan 15, 2024 at 10:17:17AM +0100, Bastian Blank wrote:
> On Sun, Jan 14, 2024 at 04:24:57PM +0100, Simon Josefsson wrote:
> > Isn't that what the text refers to?  Vendoring and static linking are
> > two examples of the same problem that the security team may encounter.
> 
> We accept vendoring of autoconf/automake/gnulib distro wide.

We _did_ accept that in the past, but these days you get smacked with a RC
bug for not building from source.

> Please show practical problems with it?

* not working on new archs (most of the work of making sure autoconfage gets
  rebuilt was done by arm64 porters when it was a new thing)
* not being able to fix bugs in autoconfage
* failing to adapt to changes in the toolchain

> The vendoring of gnulib, well, is old and maybe you could
> show that it is a problem in the sources that have it, aka they don't
> handle security fixes and at the same time don't change the library.

Gnulib has not been useful for ages, thus packages still shipping vendored
copies are harmless -- functions that gnulib was meant to provide
implementation for were missing on ancient unices like HP-UX or SCO that
are long dead by now.  A glance at recent commits in gnulib shows a lot of
retrocomputing names: Windows, OS/2, MacOS 10.5, AIX, on hardware of that
level of recency.  It's not used for new ports: the most recent reference
to riscv in commit messages is from _2018_.

Thus, I say the problem with vendored libraries is mostly unrelated to
that of static linking, and thus they don't need to share a solution.

> Here the problem is embedded into the language oekosystem itself.  It is
> not a choice of the software author to do static linking.

It's mostly an issue with the deployment scheme at Google: I heard they
recompile all their software and reinstall it on their fleet EVERY WEEK.
This is about the only case where non-special-case (/sbin/ldconfig etc)
static linking works.

Then they shared their internal project with the world (good) without caring
how it affects others (bad).  Unlike them, we can't rebuild the world every
time a bug is fixed (security or not).

Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁                            'Russkiy voyennyi korabl, idi nakhuy'
⢿⡄⠘⠷⠚⠋⠀
⠈⠳⣄⠀⠀⠀⠀

Reply to:

Follow-Ups:
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Simon Josefsson <simon@josefsson.org>

References:
- Limited security support for Go/Rust? Re ssh3
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Bastian Blank <waldi@debian.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Bug#1061142: ITP: python-crispy-bootstrap4 -- Bootstrap 4 template pack for django-crispy-forms
Next by Date: Re: Limited security support for Go/Rust? Re ssh3
Previous by thread: Re: Limited security support for Go/Rust? Re ssh3
Next by thread: Re: Limited security support for Go/Rust? Re ssh3
Index(es):
- Date
- Thread