Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
Wheeler: Insecure open source software libraries?
Posted Apr 12, 2012 16:45 UTC (Thu) by khim (subscriber, #9252)
So the application must contain bugs so that your idea that libraries must be bundled has no problems ;)
Of course libraries bundling is a problem! But it's not “100% bullet-proof solution” vs “insecure solution”, but “pretty insecure solution” vs “slightly more secure solution”.
And not having to focus on when various distributions finds faults in underlying libraries is far from not maintaining your application.
Instead you need to focus on the cases when various distributions upgrade libraries and break your application insatead. Even GLibC update may break your application (see mamcpy saga again) - and these people are quite serious about backward compatibility. Hardly a progress.
And if you'll recall that backward-compatibility and security are often at odds (just a recent example)… no, I don't believe the war on bundled libraries is good allocation of resources.
Posted Apr 14, 2012 1:22 UTC (Sat) by HenrikH (guest, #31152)
Well knock on wood but that has actually never happened to me yet, i.e backports to distribution libraries introducing bugs in my application. However if I got then perhaps I would have a different attitude towards it, that just comes naturally.
But the memcpy() is just silly, I have always used memcpy() in a way that the libc change would have introduced no problem, that's why there is a memmove(). The fault there lies entirely on Adobe.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds