Wheeler: Insecure open source software libraries? [LWN.net]

Wheeler: Insecure open source software libraries?

Posted Apr 7, 2012 18:57 UTC (Sat) by Wol (guest, #4433) [Link]

But you miss. LTS stands for "Long Term Support". That means it doesn't change! You're tilting at windmills.

The libraries will have any relevant bug fixes applied - that's what LTS effectively means. After all, doesn't RHEL (the equivalent of Ubuntu LTS) still actively support kernel 2.4 in at least one guise !!! ???

Cheers,
Wol

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 13:06 UTC (Sun) by nix (subscriber, #2304) [Link]

Wasn't he also suggesting that the ideal was a system where all the libraries never change? This makes complaining about LTS systems where exactly that property is true somewhat peculiar.

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 14:48 UTC (Sun) by khim (subscriber, #9252) [Link]

Wasn't he also suggesting that the ideal was a system where all the libraries never change?

Not exactly, but close enough.

This makes complaining about LTS systems where exactly that property is true somewhat peculiar.

Except I'm not complaining. I was just pointing out that vonbrand's statement (distributions usually push new library versions out aggressively) is a lie. Distributions most definitely don't push new library versions out aggressively - and that means that quite often the best alternative is to bundle library with the application.

The alternative will be a way to supply applications with required versions of a library which bypass the distributions - and I'm not sure if such system is feasible or even possible.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 8:48 UTC (Mon) by nix (subscriber, #2304) [Link]

Distributions *do* push new library versions out aggressively. Specifically, they push out security fixes, and they push out publically released ABI/API changes when and only when there are things in the distro themselves that depend on them.

If you don't do the latter, you end up being trapped by things like the short-lived libjpeg7, which broke soname and required a massive relink only to change soname *again* and require another huge relink when you'd just finished the last one.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 9:23 UTC (Mon) by khim (subscriber, #9252) [Link]

Distributions *do* push new library versions out aggressively.

No, they don't.

Specifically, they push out security fixes,

Usually, but not always. YMMV, as usual.

and they push out publically released ABI/API changes when and only when there are things in the distro themselves that depend on them.

IOW: they most definitely don't “push push new library versions out aggressively”. They do it only when it's convenient for them.

Note: I don't see this as anything “wrong” or as “something which should be fixed”. But since they don't usually push new library versions out aggressively it's often easier to bundle new version of the library with your program rather then try to persuade distributions to do that for you.

If you don't do the latter, you end up being trapped by things like the short-lived libjpeg7, which broke soname and required a massive relink only to change soname *again* and require another huge relink when you'd just finished the last one.

Yup. This may be valid justification for distributions but what about poor applications which needed/wanted to use JPEG7 when JPEG8 was not yet available?

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 14:56 UTC (Mon) by nix (subscriber, #2304) [Link]

Yup. This may be valid justification for distributions but what about poor applications which needed/wanted to use JPEG7 when JPEG8 was not yet available?

Were there any?

Major libraries with significant improvements (rather than the tiny ones in libjpeg7) will get packaged. Minor ones might not. In that situation, yes, you'll probably have to bundle them if unavailable on the distro -- but look at icculus's porting efforts to see how much work this isn't. This is really not as big a problem as you're making it out to be. (For games, at least, the state of Linux 3D support was much more of a problem until recently.)

Wheeler: Insecure open source software libraries?

Posted Apr 10, 2012 9:43 UTC (Tue) by khim (subscriber, #9252) [Link]

For games, at least, the state of Linux 3D support was much more of a problem until recently.

That's because you can not bundle it with a game. The things which you can bundle (some kind of ffmpeg, lua or mono, etc) are just bundled without any considerations for the distribution's plight.

You don't hear cries about games from the distribution packagers not because they don't bundle as much as Chromium is bundling, but because games mostly are from the “proprietary commercial software” category and as such is ignored by distributions totally. One example: World Of Goo. List of bundled libraries includes libSDL and libogg, zlib and libpng… Everything is bundled. Only three libraries are not bundled: GLibC, libstdc++ and libGL. And that's because you can not really bundle them: libGL is hardware dependent and for technical reasons usually needs shared GLibC and libstdc++…

Some game developers try to play by distribution's rules and usually are burned: it's much harder to install these games because the libraries they require are just not there.

Wheeler: Insecure open source software libraries?

Posted Apr 10, 2012 10:41 UTC (Tue) by Cato (subscriber, #7643) [Link]

Good point about some games that don't bundle libs - this might be what happened to me with Crayon Physics Deluxe (in one of the Humble Indie Bundles), as I couldn't easily get it working on Linux and ended up using Windows.

Wheeler: Insecure open source software libraries?

Posted Apr 12, 2012 15:26 UTC (Thu) by nye (guest, #51576) [Link]

>Only three libraries are not bundled: GLibC, libstdc++ and libGL. And that's because you can not really bundle them: libGL is hardware dependent and for technical reasons usually needs shared GLibC and libstdc++…

Probably not co-incidentally, that also appears to be a more-or-less exhaustive list of libs which care deeply about long-term ABI compatibility. And I'm not so sure about libstdc++.

(I'm semi-joking, but mostly not)

Wheeler: Insecure open source software libraries?

Posted Apr 7, 2012 19:12 UTC (Sat) by Del- (guest, #72641) [Link]

Ubuntu Lucid Lynx is the current LTS. Precise Pangolin is not released, and hence not relevant. Ubuntu is one flavour among four relevant flavours. Let me repeat, support one or a couple of the four, and you will find little resistance. It is very common to only support one version of RHEL and SLES, as long at is is the latest version, we are happy. The rest is a problem for the community. I know, as an application developer you still get the heat. No, you don't, make your supported distro explicit, people are not that dense. When you explicitely tell them their distro is not supported, it is all up to their distro to provide compatibility. This works surprisingly well. Worst case scenario, Red Hat gets more paid customers. It is as easy as that. Not perfect, but the model works, and has for many years. The real problem is when app developers don't bother supporting a current version of _any_ distribution (do you have any experience on this?). OpenSuse even provides tools for packaging both debs and rpms, the real world problem is that proprietary developers don't know how to package at all, not that packaging is so damn difficult.

"I must track and redo all the Q&A work every time some library gets the security update and Linux distributions stampede with fixes."

No you don't. The only trouble you will find is your own damn bugs. And most developers are quite sloppy there. Please try to keep some decent perspective.

"it's easier to develop something if you always deal with latest version of the software"

Indeed. On this we agree. Developers have a religious tendency to use bleeding edge libraries. They simply must have these latest features. As I already said, then you bloody well have to bundle or compile static. Bundling libraries can be done quite easily in linux (given that some libraries like Qt have complexity that can be a nuisance). I can help you out in your next project if you like.

Wheeler: Insecure open source software libraries?

Posted Apr 7, 2012 19:24 UTC (Sat) by rqosa (subscriber, #24136) [Link]

Freetype isn't a good example for you to pick there — app developers seldom use it directly, but instead use it indirectly from a widget toolkit library.

And I believe that the major toolkits try to have backwards compatibility throughout each major version (so apps developed for version x.y should run on x.(y+1), though not vice-versa — and sometimes C++ ABI changes have prevented this), and allow multiple major versions to be installed alongside each other. (And maybe freetype is like that too, I'm not sure…)

Wheeler: Insecure open source software libraries?

Posted Apr 7, 2012 20:40 UTC (Sat) by khim (subscriber, #9252) [Link]

Freetype isn't a good example for you to pick there — app developers seldom use it directly, but instead use it indirectly from a widget toolkit library.

This is exactly why it's good example. Apps “don't use it directly” yet it still affects them. Surprisingly enough it's not even version difference but configuration difference. If you prerender something and then write text near prerender using freetype-based library then you can only achieve good result if freetype used has the same options (especially WRT bytecode interpreter) - and these options are unknown to you if you use system version of freetype!

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 7:57 UTC (Sun) by rqosa (subscriber, #24136) [Link]

It seems like you're insisting that the upstream app developer must do "quality assurance" on every possible OS or distribution that the app can possibly run on. That's just fundamentally impossible in the absence of an OS monoculture, and by its very nature GNU/Linux cannot become a monoculture. (That would mean getting rid of all but one distro, and there's no way this is possible when all of the platform components are FLOSS.) So you just can't do that kind of QA on this platform. Linux users understand this is so and still keep using it, because the benefits of non-monoculture outweigh the downsides.

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 10:59 UTC (Sun) by khim (subscriber, #9252) [Link]

It seems like you're insisting that the upstream app developer must do "quality assurance" on every possible OS or distribution that the app can possibly run on.

No. If some platform uses programs designed for other platform - it's their choice, in this case OS designers should provide Q&A. This is very common case: it happens every time new version of OS is released (as usual Linux desktop developers shirk this responsibility, but other OS vendors are more serious about it).

But yes, if developer releases program for some platform (especially if said program is sold for $$) then s/he must do Q&A - or else why release anything at all?

That's just fundamentally impossible in the absence of an OS monoculture, and by its very nature GNU/Linux cannot become a monoculture.

You don't need monoculture. Android releases include a lot of customizations - yet most of them don't affect app developers at all. The observed problems are mostly caused by changes in hardware (for example all the programs which assumed you can use trackball to move around are basically unusable on Galaxy Nexus S… yet they still run and use can use them with external mouse).

Linux users understand this is so and still keep using it, because the benefits of non-monoculture outweigh the downsides.

Sorry, but this is bullshit. This description may cover some small percentage of Linux users but most of them think that when something does not work on Fedora (usually because of SELinux) it's our fault even if the identical package works on Ubuntu. So no, they don't “understand this”. If you'll visit any FOSS conference you'll see how many former Linux users finally understood it… and decided that life is too short to play these games. Most of them are now MacOS users, but some returned back to Windows.

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 18:31 UTC (Sun) by rqosa (subscriber, #24136) [Link]

> But yes, if developer releases program for some platform (especially if said program is sold for $$) then s/he must do Q&A - or else why release anything at all?

The developer shouldn't try to do QA on every Linux distribution out there — doing it on just one major distro should be sufficient, and the user community will figure out how to get it to work on any other distro where there's enough demand for the app in question.

> Android releases include a lot of customizations - yet most of them don't affect app developers at all.

You could say the same thing about Windows — when it's preinstalled on PCs, it usually has customizations specific to that PC model and its manufacturer. As far as the platform APIs are concerned, though, it's still a monoculture.

> If you'll visit any FOSS conference you'll see how many former Linux users finally understood it… and decided that life is too short to play these games.

Yaaawwwnnnnn… We've heard a billion variations on the theme of "Linux is dying" (much of which was thinly-disguised propaganda FUD) for more than a decade now, and it's not even once been true. As far as I'm concerned, the Linux user experience just keeps getting better and better as time goes on, and that could hardly happen if users were abandoning the platform in droves.

> Most of them are now MacOS users, but some returned back to Windows.

Funny you should say that. 11 years ago, I thought that Mac OS X was great — it should run all the Unixy stuff I'm used to, plus most of the proprietary stuff that's not available on Linux, so what's not to like? Then I tried to actually use it, and quickly got frustrated by how many hoops I had to jump through to do things that on Linux would have needed little more than "apt-get install foo" or "./configure && make install". Since then I've been unwillingly dragged back to it at least once, and it was just as bad as ever.

I dare you to try this: build the latest Git snapshot of FFmpeg on Mac OS X. I tried that once (well, except FFmpeg was still using SVN back then), and it went something like this: first I had to untar the Fink tarball into a directory, then figure out how to change sone config file to enable building source packages from the unstable branch of Fink, then run the command to build it — which made it download lots of stuff, compile said stuff, download lots more stuff, compile it, and on and on and on until I ran out of patience.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 1:49 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>Then I tried to actually use it, and quickly got frustrated by how many hoops I had to jump through to do things that on Linux would have needed little more than "apt-get install foo" or "./configure && make install"

So that's why you use fink ( http://www.finkproject.org/ ) or simply do "./configure && make install" on Mac OS X.

Oh, and there's that newfangled marketplace for consumer software.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 21:48 UTC (Mon) by rqosa (subscriber, #24136) [Link]

> So that's why you use fink ( http://www.finkproject.org/ ) or simply do "./configure && make install" on Mac OS X.

Did you read the paragraph below that? Like I said there, I did use Fink — and even so, I found it very frustrating to do things that were easy to do with Linux distributions / package managers.

For one thing, there seemed to be lots of packages which were available only as source packages in the "unstable branch" (I forget the exact terminology it used), which required me to edit a config file to switch to that branch (or else the package manager would say that the package in question doesn't exist), and I had a hard time finding the documentation that explained how to make that change. And then once I got that far, trying to build the package made it take a huge amount of time downloading and compiling dependencies and build-dependencies, to the point that I never even found out whether it actually finished or not. (This all happened during a group meeting for a class project, where I was trying to install FFmpeg on someone else's computer so he could use it to transcode video files, and it was still downloading/compiling things when I left for the day.)

By comparison, building source packages on Linux distributions (such as AUR packages on Arch Linux) has always seemed a lot easier to me. I suppose it's partly because Mac OS X by default has next to none of the dependencies and build-dependencies installed (e.g. build tools aren't installed, and neither are lots of the libraries which generic-Unix programs like ffmpeg depend on and which are likely already installed on a machine running a Linux distro), and partly because the developer community for Fink is smaller than that of the major Linux distributions and/or unofficial package repositories like the AUR (and other Fink-like projects, such as MacPorts, seem to be even smaller) thus it has fewer packages.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 23:17 UTC (Mon) by CycoJ (guest, #70454) [Link]

> You don't need monoculture. Android releases include a lot of customizations - yet most of them don't affect app developers at all. The observed problems are mostly caused by changes in hardware (for example all the programs which assumed you can use trackball to move around are basically unusable on Galaxy Nexus S… yet they still run and use can use them with external mouse).

Funny, have you actually looked at the review comments for apps on the Android market? It's full of reviews like "does not work on Samsung ..., HTC ...", "Please make this work on HTC..."

Wheeler: Insecure open source software libraries?

Posted Apr 10, 2012 10:28 UTC (Tue) by khim (subscriber, #9252) [Link]

I was on both sides of the fence… Do you know just why there are all these endless messages? 9 times out of 10 (if not 99 times out of 100) that's because said HTC or Samsung have older version of OS then the one clearly written in the app requirement.

This means that complainers don't even think about OS upgrade (we have the same situation with NaCl which does not work with MacOS 10.6.7) - and you expect that they will track and install application dependencies? Preposterous.

Wheeler: Insecure open source software libraries?

Posted Apr 26, 2012 9:51 UTC (Thu) by steffen780 (guest, #68142) [Link]

Small reality check: go and look how easy it is to upgrade the average Android phone. Once you found out you can come back and complain about lazy users failing to update their devices using official or easy updates that almost always don't exist; or using root access that generally requires reading pages upon pages upon pages to get. If it's possible at all.

And of course if you belong to the 1% or so of people who have the required skillset you have to give up your warranty (according to the manufacturers at least, I for one would love to see this tested in court).

The situation is slightly better on iOS, but even there updates are only available for a fraction of the useful life of these extremely expensive devices.

Wheeler: Insecure open source software libraries?

Posted Apr 7, 2012 20:33 UTC (Sat) by gioele (subscriber, #61675) [Link]

> now I must track and redo all the Q&A work every time some library gets the security update and Linux distributions stampede with fixes.

And that is not a problem because you have an automated test suite, don't you?

Wheeler: Insecure open source software libraries?

Posted Apr 7, 2012 20:48 UTC (Sat) by khim (subscriber, #9252) [Link]

It's notoriously difficult task to write UX test suites.

It's possible to do some automatic tests, but ultimately it's not a replacement for Q&A, sorry.