Consequences of library bundling (was: Re: OpenH264 in Fedora)
fweimer at redhat.com
Wed Nov 6 17:31:43 UTC 2013
On 11/06/2013 04:05 PM, Adam Jackson wrote:
> On Wed, 2013-11-06 at 09:36 +0100, Roberto Ragusa wrote:
>> On 11/04/2013 07:30 PM, Alberto Ruiz wrote:
>>> A media codec should not be a system wide component (I'd go as far as
>>> saying it should not be user-session wide, but application bundled).
>> Would you so apply the same reasoning to libjpeg and libtiff?
>> Security nightmare.
> It's only a nightmare because we've steadfastly refused to build the
> tools to a) track library bundling inside app-bundles b) automate bundle
> rebuilds c) force replacement of bundle contents either by sysadmin
> action or by policy.
You also have to port security fixes to all slightly different bundled
versions. Not every security fix is that trivial two-liner, and
libraries which benefit most from bundling (because they have unstable
APIs and are under heavy development) are exactly those where
backporting is hard. That is the really hard problem.
Tracking bundling and defective bundled software is no picnic either,
but at least it can be somewhat automated (see the Victims project for
Java/Maven, or some of the bundling detection logic in Lintian). That's
much harder with backporting.
Florian Weimer / Red Hat Product Security Team
More information about the devel