On Jan 13, 10 11:57, Rainer Deyke wrote:
Leandro Lucarella wrote:
If you use dynamic linking, the user just need to keep its system updated
to avoid this kind of issues, and you only need to care about new release
when the bugs are really from your program, not third-party libraries.
No, that's backwards.
If the user gets the application and library from a central repository
(e.g. apt-get), then it is the responsibility of the repository
maintainer(s) to keep everything up to date. Getting a patched
executable from the repository is no more or less effort for the user
than getting a patched library from the repository. Putting a new
executable up is no more or less effort for the repository maintainer(s)
than putting a new library up.
Suppose libc got a security flaw. Instead of downloading and updating 1
library you got to download and update 1,000 executables. So instead of
distributing (say) 100 KB of binaries the repositories need to send 100
MB to its users. A huge and unnecessary bandwidth waste for both sides I
would say.
If the user gets the application and library from the application
developer, then it's the responsibility of the application developer to
keep everything patched. Getting a patched executable is still no more
or less effort for the user than getting a patched library. Putting a
new executable up is no more or less effort for the application
developer than putting a new library up.
What if the application developer is irresponsible?
If the user gets the application and library from separate developers,
then keeping the library up to date is the responsibility of the library
developer. Getting software from multiple sources is /more/ effort for
the user. Furthermore, library developers are rarely set up to
distribute software to the end user. Often the library developers don't
even distribute binaries.
In summary, there are no cases where dynamic linking makes security
updates easier for the end user. There are cases where this separation
makes security updates a lot harder for the end user.
