Applications and bundled libraries
Posted Mar 18, 2010 12:20 UTC (Thu) by __alex (subscriber, #38036)
I wonder if people would still be complaining if Google had implemented their versions of some of
the things they depend on instead of using existing libraries with their own patches. It seems like
just because Chromium depends on things that have the same name as things already in the distro
that everyone thinks they *are* the same thing. sqlite is a pretty good example of this. Upstream
don't want the changes. So essentially the 'sqlite' used in Chromium isn't 'sqlite' anymore. It's an
entirely new project tied to Chromium. It makes no sense to think of it as a library now.
Posted Mar 18, 2010 17:55 UTC (Thu) by dlang (subscriber, #313)
if all the applications link to the system library you update that and everything just works.
if an application ships it's own copy of the library, you have a chance of finding it if you search for it and can then replace that copy (although if it's been tweaked, you may still break that application, but at least you know that application is unsafe after that point)
if an application statically links the library, you have no way of knowing that the application is using that library, and unless the application developer notices the security alert and ships an update to the application, you won't be able to patch the vulnerability, but even worse, you won't be able to find out that the application is vulnerable in the first place.
Posted Mar 19, 2010 10:57 UTC (Fri) by hummassa (subscriber, #307)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds