Efficiency of attacker on systematic hunt for bugs does *not* diminish, though.
It goes down, too. If library just sits out there and nobody uses it then it's useless for attacker anyway. If library is actually needed by some software then user will find and install it (unless s/he'll abandon Linux, that is) and thus it'll be available for the attacker anyway. And if library is not present in the latest version of the distribution but is transplanted from older version then it'll be more buggy, not less.
It's just that your "solution" really isn't.
It's the only alternative which works. We may lament that it's bad for one reason or another (and it is!) but as long as it's the only game in town…
Neither is bundling libraries with ISV code using those, for the same reasons.
Again: if you don't provide stable ABI in your system then ISVs will bundle libraries with their offers. Acrobat brings openssl and libcurl, Firefox brings SQLite and NSS. And games bring practically everything including bundled version of SDL and libvorbis, sometimes even libjpeg and libpng.
If you think that this approach magically makes your system more secure than the one which supplies obsolete libraries in it's core then you are sorely mistaken.
As I've said: few percents of users may be satisfied with selection of goods offered in their repo. Fine, but maybe it's time to create something for the rest of us?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds