On Thu, 16 Jun 2016 15:44:11 -0400, Przemek wrote:
I get that, but as I said, RPM can have sandboxing too, and so far it
looks like the main vulnerability vector is unpatched software. Flatpack
wouldn't have helped with heartbleed, and the right remediation for it
was rapid patching---which was hampered by all the bundled SSL libraries
even without many containers in the mix.
I do see the utility of containers, and realize that properly curated
containers can be patched as well as native packages. It's just that I
am concerned that they will diffuse responsibility for patching so much
that effectively curation will fail.
To me though you are talking about an ideal world where everything is
properly packaged into rpms and everybody deals with security issues
promptly.
There is a lot of evidence however that we aren't living in such an
ideal world, and as a result there is a lot of software installed
outside of rpms that rarely gets updated.
How much of this self installed software would get updated when the
next vulnerability is found (or for that matter, how much self
installed software still has old bundled SSL exposing systems)?
The way I see it is the single-distribution model turned out to be
too difficult to third party software authors, who just couldn't
provide packages for every distribution in a fragmented marketplace.
At the same time, the distributions like Fedora don't have the
manpower to do the packaging work for everyone. Therefore, we the
users started loading random configure+make/npm/pip/curl|sh stuff.