Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-25 Thread Fabian Grünbichler
On Wed, Jan 24, 2024 at 09:37:27AM +0100, Simon Josefsson wrote: > Simon Josefsson writes: > > >> > My naive approach on how to fix a security problem in package X > >> > which is > >> > statically embedded into other packages A, B, C, ... would be to > >> > rebuild > >> > the transitive closure

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-24 Thread Marco d'Itri
On Jan 24, Peter Pentchev wrote: > This might be a minority, optimistic, rose-tinted-glasses kind of > opinion, but I believe that the state of the Rust ecosystem today > (I have no experience with the Go one) is quite similar to what Perl and > Python modules were 25, 20, bah, even 15 years

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-24 Thread Peter Pentchev
On Wed, Jan 24, 2024 at 01:01:34PM +, Luca Boccassi wrote: > On Wed, 24 Jan 2024 at 12:26, Johannes Schauer Marin Rodrigues > wrote: > > > > Hi, > > > > Quoting Luca Boccassi (2024-01-24 12:59:38) > > > There's always option B: recognize that the Rust/Go ecosystems are not > > > designed to

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-24 Thread Jeremy Stanley
On 2024-01-24 13:26:49 +0100 (+0100), Johannes Schauer Marin Rodrigues wrote: [...] > how does that work for those applications that require rust, go > and friends? Are you proposing that everything that needs them > should be be distributed by a flatpak or similar mechanism > instead? > > Just a

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-24 Thread Luca Boccassi
On Wed, 24 Jan 2024 at 12:26, Johannes Schauer Marin Rodrigues wrote: > > Hi, > > Quoting Luca Boccassi (2024-01-24 12:59:38) > > There's always option B: recognize that the Rust/Go ecosystems are not > > designed to be compatible with the Linux distributions model, and are > > instead > >

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-24 Thread Johannes Schauer Marin Rodrigues
Hi, Quoting Luca Boccassi (2024-01-24 12:59:38) > There's always option B: recognize that the Rust/Go ecosystems are not > designed to be compatible with the Linux distributions model, and are instead > designed to be as convenient as possible for a _single_ application developer > and its users

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-24 Thread Luca Boccassi
On Wed, 24 Jan 2024 at 11:42, Simon Josefsson wrote: > > Simon Josefsson writes: > > >> > My naive approach on how to fix a security problem in package X > >> > which is > >> > statically embedded into other packages A, B, C, ... would be to > >> > rebuild > >> > the transitive closure of all

Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

2024-01-24 Thread Simon Josefsson
Simon Josefsson writes: >> > My naive approach on how to fix a security problem in package X >> > which is >> > statically embedded into other packages A, B, C, ... would be to >> > rebuild >> > the transitive closure of all packages that Build-Depends on X and >> > publish a security update for