| |||||||||||||
Wheeler: Insecure open source software libraries?Wheeler: Insecure open source software libraries?Posted Apr 7, 2012 0:32 UTC (Sat) by smokeing (guest, #53685)In reply to: Wheeler: Insecure open source software libraries? by khim Parent article: Wheeler: Insecure open source software libraries?
Debian-shipped libpng-1.2.xx is not only actively maintained upstream, but also comes with own set of patches on top of it to close any issues upstream hasn't had time to deal with. I would bet that at any time whenever a vulnerability is reported against libpng, debian will be the first to fix it and ship it safe, no matter what exact version it be and how 'old' it may look.
Concerning the main point, as a gentoo user, I ditched chrome even before it finished building as soon as I noticed the (huge!) source tarball contained a shitload of '3rd party' libraries that are *already* on my system.
(Log in to post comments)
Wheeler: Insecure open source software libraries? Posted Apr 7, 2012 12:27 UTC (Sat) by khim (subscriber, #9252) [Link] Debian-shipped libpng-1.2.xx is not only actively maintained upstream, but also comes with own set of patches on top of it to close any issues upstream hasn't had time to deal with. Well, this makes it even worse, isn't it? Now I have not only contend with old version of library, I must track differences between distributions, too. Concerning the main point, as a gentoo user, I ditched chrome even before it finished building as soon as I noticed the (huge!) source tarball contained a shitload of '3rd party' libraries that are *already* on my system. Well, that's your choice. I think Chrome developers know they are losing some users with “my way or the highway” mentality - and I think it's conscious choice.
Wheeler: Insecure open source software libraries? Posted Apr 7, 2012 12:39 UTC (Sat) by rqosa (subscriber, #24136) [Link] > Well, this makes it even worse, isn't it? Now I have not only contend with old version of library, I must track differences between distributions, too. No, you don't need to track differences between distributions. You just need to decide which version of the API to develop against, and then trust that the distributions will either ship a non-vulnerable and API-compatible variant of library or cease shipping any library with that API version. (In the latter case, that means they've stopped shipping your program too, until you port it to a currently-maintained version of the API.)
Wheeler: Insecure open source software libraries? Posted Apr 7, 2012 13:01 UTC (Sat) by khim (subscriber, #9252) [Link] This is fine if your goal is to “participate in advancement of FOSS ecosystem”. If your goal is to “create something for real users” then this approach does not work: distributions clog the communication between developer and user yet usually have no resources to fix my application anyway. The last bit (that distribution feel they have the right to decide for me if users deserve to see my app or not) is especially insulting - this is Apple-worthy level of arrogance. But at least Apple provides access to huge (and lucrative!) market in exchange. What do the distributions do to deserve such position?
Wheeler: Insecure open source software libraries? Posted Apr 7, 2012 14:59 UTC (Sat) by rqosa (subscriber, #24136) [Link] > If your goal is to “create something for real users” then this approach does not work It works for me — and don't you dare try to tell me I'm not a "real user". > The last bit (that distribution feel they have the right to decide for me if users deserve to see my app or not) is especially insulting - this is Apple-worthy level of arrogance. No it isn't. The distributions aren't actively preventing you from using non-distribution-provided software; some of them even encourage doing just that. Whereas Apple does actively prevent you from using unapproved software on iOS.
Wheeler: Insecure open source software libraries? Posted Apr 10, 2012 12:56 UTC (Tue) by michaeljt (subscriber, #39183) [Link]
> The distributions aren't actively preventing you from using non-distribution-provided software; some of them even encourage doing just that.
What percentage of users do you think are using a distribution which encourages the use of third-party software? My feeling was that the majority prefer you to either only use software they package (in the version they package) or software specifically targeted at and integrated with their distribution.
Wheeler: Insecure open source software libraries? Posted Apr 13, 2012 13:04 UTC (Fri) by nix (subscriber, #2304) [Link] What percentage of users do you think are using a distribution which encourages the use of third-party software?Ubuntu (via PPAs)? Lots.
Wheeler: Insecure open source software libraries? Posted Apr 13, 2012 16:51 UTC (Fri) by khim (subscriber, #9252) [Link] PPAs are right step politically, but awful step technically: its very easy to thoroughly hose the system with just a few PPAs. To make them really effective and safe to use you need the very same "stable ABI promise" which can make appstore-like model usable.
Wheeler: Insecure open source software libraries? Posted Apr 26, 2012 9:56 UTC (Thu) by steffen780 (guest, #68142) [Link]
It's very easy to hose your shining example Windows by installing random stuff off the internet. This is why we have distros, to reduce the need for installing random stuff off the Internet. That applies to any OS. Well, except iOS, where you're prevented from installing stuff that isn't blessed by Apple (unless you root it of course - and can hose your system by installing random stuff off the internet).
Wheeler: Insecure open source software libraries? Posted Apr 10, 2012 12:58 UTC (Tue) by michaeljt (subscriber, #39183) [Link]
khim wrote:
> The last bit (that distribution feel they have the right to decide for me if users deserve to see my app or not) is especially insulting - this is Apple-worthy level of arrogance. But at least Apple provides access to huge (and lucrative!) market in exchange. What do the distributions do to deserve such position?
Just out of interest, what software do you work on? You seem to have very strong feelings on software distribution issues.
Wheeler: Insecure open source software libraries? Posted Apr 10, 2012 14:12 UTC (Tue) by khim (subscriber, #9252) [Link] Well, it's not a secret. We are in somewhat unique position because we are providing packages for different OSes and, more importantly, we talk with developers and hope to attract them to our platform. This means that we see not only the distribution problems but also observe the developer's needs and wants WRT the new, nascent platform. There are many different observations (not all of them I can talk about publicly), but the key observation is: developers care about potential future users, they don't care about platform - and why should they? What they especially don't care about is the rules of said platform: for developers these rules are obvious obstacles which must be overcome somehow to reach the user. Necessary evil, nothing more. Traditionally Linux desktop just ignored Joe Average users and Joe Average developers. It was content to play with their existing rules and their existing developers. But now GNOME/KDE/etc are clearly trying to attract new Joe Average users - yet distributions refuse to talk with Joe Average developers. IOW: Linux desktop developers have said A but they still are refusing to say B. WTF? What's this hoopla is all about?
Wheeler: Insecure open source software libraries? Posted Apr 10, 2012 14:44 UTC (Tue) by anselm (subscriber, #2796) [Link] The last bit (that distribution feel they have the right to decide for me if users deserve to see my app or not) is especially insulting - this is Apple-worthy level of arrogance. That would depend not only on your app but also on the distribution. Debian, for example, seems to be happy to take anything that is (a) distributable by Debian and (b) supported by somebody who will see to packaging the software for Debian. So if you're a distribution and you don't package an app you're »arrogant«. If you do package as much as you can package, you get flak for overwhelming your users with choices. In any case you get booed for not offering 500.000 packages like the iOS app store does (even if 499.000 of those »apps« are either glorified bookmarks, trying to sell you something, or are otherwise uninteresting or useless). Seems there is no pleasing everybody all the time.
Wheeler: Insecure open source software libraries? Posted Apr 10, 2012 20:51 UTC (Tue) by khim (subscriber, #9252) [Link] That would depend not only on your app but also on the distribution. Debian, for example, seems to be happy to take anything that is (a) distributable by Debian. Yup. That's what I'm talking about. Apple is cursed for it's huge 30% cut while Debian demands price point of zero (and source code to boot). Seems there is no pleasing everybody all the time. It's impossible in principle. The problem is not that Debian manages to piss of somebody. The problem is that Debian pisses of 99% of users and 90% of developers (perhaps even more: there are more developers among Linux users but I'm not sure the difference is 10x).
Wheeler: Insecure open source software libraries? Posted Apr 10, 2012 23:05 UTC (Tue) by anselm (subscriber, #2796) [Link] Apple is cursed for it's huge 30% cut … Where's the problem? As a book author I would be enthusiastic if my publisher would let me keep 70% of the proceeds of selling my books. … while Debian demands price point of zero (and source code to boot). The whole point of Debian is providing a free (as in freedom) OS. While free (as in freedom) software does not need to be free as in beer, the Debian repositories do not have a coin slot, and that is generally considered a Good Thing™. On the other hand, a piece of software does not actually need to be inside the Debian repository to be usable on a Debian-based system. There is no reason whatsoever why somebody could not use their own repository to make their commercially-licensed software available for Debian, with dependencies on the Debian repository if required. With a steep price tag and no source code. The problem is that Debian pisses of 99% of users … This is probably not true. My company provides Linux instruction, among other things, and we get a constant stream of requests from people who run, or are interested in running, Debian-based installations. In fact, the proportion of Debian work we do is steadily rising while the proportion of SLES work (which used to be our bread-and-butter business) is going down. We certainly do more work based on Debian these days than we do based on RHEL or even CentOS.
Wheeler: Insecure open source software libraries? Posted Apr 10, 2012 23:16 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]
the Ubuntu PPA approach works very nicely for adding an extra repository for some special application, and the really nice thing is that once it's setup, updates for this application work just like updates for all the other software on the system.
Wheeler: Insecure open source software libraries? Posted Apr 7, 2012 15:55 UTC (Sat) by Del- (guest, #72641) [Link]
"Now I have not only contend with old version of library, I must track differences between distributions, too."
No, support the latest stable version of one or a couple of the major distributions (debian, ubuntu, rhel, sles). Those who run Arch will deal with it with few complaints. It is not hard to do and works wonders for proprietary software in the enterprise. You will need the occasional recompile every other year, that's basically it. It is not perfect, but it is certainly not the nightmare you make it out to be.
|
|||||||||||||