Risks of misinformation

Posted Sep 25, 2023 8:11 UTC (Mon) by ballombe (subscriber, #9523)
In reply to: Risks of misinformation by kleptog
Parent article: The European Cyber Resilience Act

> Or worse, FAANG doing it. It's unfortunate, because I think we do, collectively, have a good idea what a "well-run security-conscious open-source project" looks like, we're just unwilling to write it down.

I am not sure. Consider the original IJG libjpeg library. It has not has a single serious vulnerability in 25 years.
On the other hand, libwebp from 2011 has had tons of serious vulnerabilities.
Is it that Google programmers are incompetent and do not know how to write safe code ? Certainly not.
The fact is that security is not seen as a real priority even by "well-run security conscious open-source project"
and issuing updates to fix vulnerabilities instead of writing correct code from the start is seen as acceptable
if this allows for faster development or faster code, despite claims to the contrary.

Risks of misinformation

Posted Sep 25, 2023 9:45 UTC (Mon) by Wol (subscriber, #4433) [Link]

> and issuing updates to fix vulnerabilities instead of writing correct code from the start is seen as acceptable

THIS!!! IN SPADES!!!

Cheers,
Wol

Risks of misinformation

Posted Sep 26, 2023 5:01 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

> I am not sure. Consider the original IJG libjpeg library.

Uhh... Whut?

There are some CVEs for it: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libjpeg

Looking deeper, it looks like nobody is actually using the original libjpeg, everyone seems to be using libjpeg-turbo. Debian even uses it to provide libjpeg, they seem to have switched some time in the previous decade.

So it looks more like the case of nobody really caring about it.