Consequences of library bundling (was: Re: OpenH264 in Fedora)

[Florian Weimer]

On 11/06/2013 08:52 PM, Adam Jackson wrote:


Again: don't stop the solution short based on what the current code
happens to implement.

If we're building the bundles - and there's reasons we would want to -
then we know the patches we need to apply.


Despite significant efforts, we still have some trouble doing precisely 
that in the current environment.  Ensuring that critical changes are 
applied to all relevant branches pretty much relies on individual 
developer effort and attention.


From a birds-eye view, we perform bundling at the distribution level. 
Carrying patches back and forth is not easy.  We've been dealing with 
this for a decade or more, yet supporting technology is still scarce. 
This has little to do with RPM and its limitations because it's about 
making sure that dist-git (both Fedora and further downstream) have the 
required or best possible versions of the code base.  At this stage, the 
lack of multiple RPM database, multiple versions of the same package, 
etc. does not come into play.  There are some constraints due to the 
processes involved, but everyone is free to use the data that is just 
out there and start their own side project to tackle this problem.  Yet 
this hasn't happened.  There have been some research efforts, but 
nothing came out of that which actually had a chance of integration. 
(Other distributions face the same challenge.)


That's why I'm fairly convinced that the delivery mechanism isn't 
holding back a solution.  It's just a very difficult problem, no matter 
how you eventually ship your bits.


--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Consequences of library bundling (was: Re: OpenH264 in Fedora)

[Florian Weimer]

On 11/06/2013 04:05 PM, Adam Jackson wrote:

On Wed, 2013-11-06 at 09:36 +0100, Roberto Ragusa wrote:

On 11/04/2013 07:30 PM, Alberto Ruiz wrote:


A media codec should not be a system wide component (I'd go as far as
saying it should not be user-session wide, but application bundled).


???
Would you so apply the same reasoning to libjpeg and libtiff?
Security nightmare.


It's only a nightmare because we've steadfastly refused to build the
tools to a) track library bundling inside app-bundles b) automate bundle
rebuilds c) force replacement of bundle contents either by sysadmin
action or by policy.


You also have to port security fixes to all slightly different bundled 
versions.  Not every security fix is that trivial two-liner, and 
libraries which benefit most from bundling (because they have unstable 
APIs and are under heavy development) are exactly those where 
backporting is hard.  That is the really hard problem.


Tracking bundling and defective bundled software is no picnic either, 
but at least it can be somewhat automated (see the Victims project for 
Java/Maven, or some of the bundling detection logic in Lintian).  That's 
much harder with backporting.


--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct