Consequences of library bundling (was: Re: OpenH264 in Fedora)

Florian Weimer fweimer at
Wed Nov 6 17:31:43 UTC 2013

On 11/06/2013 04:05 PM, Adam Jackson wrote:
> On Wed, 2013-11-06 at 09:36 +0100, Roberto Ragusa wrote:
>> On 11/04/2013 07:30 PM, Alberto Ruiz wrote:
>>> A media codec should not be a system wide component (I'd go as far as
>>> saying it should not be user-session wide, but application bundled).
>> ???
>> Would you so apply the same reasoning to libjpeg and libtiff?
>> Security nightmare.
> It's only a nightmare because we've steadfastly refused to build the
> tools to a) track library bundling inside app-bundles b) automate bundle
> rebuilds c) force replacement of bundle contents either by sysadmin
> action or by policy.

You also have to port security fixes to all slightly different bundled 
versions.  Not every security fix is that trivial two-liner, and 
libraries which benefit most from bundling (because they have unstable 
APIs and are under heavy development) are exactly those where 
backporting is hard.  That is the really hard problem.

Tracking bundling and defective bundled software is no picnic either, 
but at least it can be somewhat automated (see the Victims project for 
Java/Maven, or some of the bundling detection logic in Lintian).  That's 
much harder with backporting.

Florian Weimer / Red Hat Product Security Team

More information about the devel mailing list