|
|
Log in / Subscribe / Register

Shared libraries

Shared libraries

Posted Nov 25, 2025 20:46 UTC (Tue) by jhoblitt (subscriber, #77733)
In reply to: Shared libraries by keithp
Parent article: APT Rust requirement raises questions

The reality is that the burden of rolling out security fixes is shifting from distros to upstream projects. So instead of a shared lib getting updated at the distro level, the upstream(s) tag a new release with the version dep(s) bumped. This isn't a big deal for most upstreams as odds are, a bot will automatically open a pull/merge request when a dep patches a security issue.

What is probably needed to make this new model palletted for distros is standardized change log data that the distros can poll looking for security updates.

to post comments

Shared libraries

Posted Nov 25, 2025 20:51 UTC (Tue) by mb (subscriber, #50428) [Link] (3 responses)

That's not what actually happens, though.

Distros don't care about locked upstream dependencies.
And I think that's fine, if they always pick the latest compatible semver.
That tends to work very well in the crates.io ecosystem with only extremely few exceptions.

But distros often try to use older dependencies than locked upstream. Which is not Ok, IMO.

Shared libraries

Posted Nov 25, 2025 22:35 UTC (Tue) by jhoblitt (subscriber, #77733) [Link] (2 responses)

I don't dispute that distros override Cargo.lock files but I don't agree that behavior is a feature. Changing a single dep version can also result in changes to transitive deps and my preference is that I am running the exact version of a software package which passed the upstream project's CI pipeline.

Shared libraries

Posted Nov 26, 2025 8:22 UTC (Wed) by joib (subscriber, #8541) [Link] (1 responses)

Case in point being Debian breaking bcachefs-tools by changing one of the deps to an older one.

Maybe there's a position in between "only one version of each library" and "whatever is currently in Cargo.lock across a hundred different projects"? E.g. some algorithm that could calculate the minimum set of versions to satisfy all the version requirements in all the Cargo.toml files that are used in the distro?

Shared libraries

Posted Nov 26, 2025 8:59 UTC (Wed) by zdzichu (subscriber, #17118) [Link]

Debian breakage should be caught by unit tests during the package build. But last time I've checked, there were no such tests in bcachefs-tools. Not exactly evoking confidence in its code.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds