Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Just make sure that if a new library breaks the ABI, it can be installed side-by-side with the old one and that the old one remains available forever on all newer distributions.
ISVs providing Linux downloads
Posted Sep 12, 2012 4:59 UTC (Wed) by viro (subscriber, #7872)
BTW, in case if it's non-obvious - I agree that userland approach to API stability is atrociously bad. And API design tends to be just as promiscuous and lousy.
It's just that your "solution" really isn't. Neither is bundling libraries with ISV code using those, for the same reasons.
Posted Sep 12, 2012 5:02 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
Posted Sep 12, 2012 5:39 UTC (Wed) by khim (subscriber, #9252)
Efficiency of attacker on systematic hunt for bugs does *not* diminish, though.
It goes down, too. If library just sits out there and nobody uses it then it's useless for attacker anyway. If library is actually needed by some software then user will find and install it (unless s/he'll abandon Linux, that is) and thus it'll be available for the attacker anyway. And if library is not present in the latest version of the distribution but is transplanted from older version then it'll be more buggy, not less.
It's just that your "solution" really isn't.
It's the only alternative which works. We may lament that it's bad for one reason or another (and it is!) but as long as it's the only game in town…
Neither is bundling libraries with ISV code using those, for the same reasons.
Again: if you don't provide stable ABI in your system then ISVs will bundle libraries with their offers. Acrobat brings openssl and libcurl, Firefox brings SQLite and NSS. And games bring practically everything including bundled version of SDL and libvorbis, sometimes even libjpeg and libpng.
If you think that this approach magically makes your system more secure than the one which supplies obsolete libraries in it's core then you are sorely mistaken.
As I've said: few percents of users may be satisfied with selection of goods offered in their repo. Fine, but maybe it's time to create something for the rest of us?
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds