Re: [GTALUG] why I like shared libraries -- no longer a popular position

[Lennart Sorensen via talk]

On Sat, Sep 23, 2023 at 02:27:27PM -0400, mwilson--- via talk wrote:
> Transcoded must be the answer.  I composed the message in LibreOffice Writer
> then copied the text and pasted it into the SquirrelMail reply screen from
> vex.net.
> The characters shown as ? started out as single and double quotation marks.
> Hmm.

They ended up as backslash and a 3 digit number as if they were in some
non standard character set (certainly not utf8 or ascii) with non standard
escaping too.

Email header claims it is utf8 but clearly something was not.

-- 
Len Sorensen
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] why I like shared libraries -- no longer a popular position

[mwilson--- via talk]

> [What are the question marks that appear where other punctuation is
> expected?  Did your mail get badly transcoded at some step?]

Transcoded must be the answer.  I composed the message in LibreOffice Writer
then copied the text and pasted it into the SquirrelMail reply screen from
vex.net.
The characters shown as ? started out as single and double quotation marks.
Hmm.


---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] why I like shared libraries -- no longer a popular position

[Dhaval Giani via talk]

>
> The linux kernel requires that code contributors be registered.  I
> think that contibutions must be cryptographically signed, but I'm not
> sure.  This helps but isn't air-tight.
>

This is news to me.  No, there is no registration to work on the kernel.
There us no single authority who you could register with. I believe i know
what your misunderstanding is. after the 2012 breach, Linus prefers your
tags be signed (i recall there are still a few straggler maintainers out
there). This doesn’t affect the average contributor because they don’t send
pull requests to Linus. Now because we wanted signed tags and key
distribution is a fun problem, one needed to get their keys signed. The
protocol was - I know this person and have verified their identity, so i
will sign their key. One of the things we did was check each others
government issued ids. Of course we are no experts in spotting fake ids so
that is a risk factor considered. But for most part we signed each others
keys and “verified” their identity and I think you misremembered it as
registering.

Dhaval

>
> I don't see that static linking would help with this problem.
> ---
> Post to this mailing list talk@gtalug.org
> Unsubscribe from this mailing list
> https://gtalug.org/mailman/listinfo/talk
>
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] why I like shared libraries -- no longer a popular position

[D. Hugh Redelmeier via talk]

| From: mwilson--- via talk 

| By ?shared libraries? you don?t mean libsomething.so, right?  You mean
| everybody in the world using code they got from ?Somebody?.

[What are the question marks that appear where other punctuation is
expected?  Did your mail get badly transcoded at some step?]

I mean the former.

The latter is scary, as you point out.
This is called a "supply chaing attack" these days.

We need a better way of pushing back at problems with suppliers.
Simply choosing not to adopt is good, but it would be better if you
could signal to others your concerns.  Shared critiquing.

But even for critiquing there is a "free riders" problem.  In the
worst case, everyone thinks everyone else is doing the work and nobody
does it.

| Since it?s 3AM and my mind is freewheeling I ponder ?If I were a
| well-funded system attacker, don?t new image file formats look like a fine
| way to get everybody to install brand new kind-of-obscure library code
| (libaom.so on Debian12 is 5 megabytes) without asking embarrassing
| questions??

Quite right.  A big concern.  I hide my head in the sand and assume
Red Hat vets the code it distributes.  The fact is that it is a very
hard problem to vet a small amount of code, let alone a whole distro.

The linux kernel requires that code contributors be registered.  I
think that contibutions must be cryptographically signed, but I'm not
sure.  This helps but isn't air-tight.

I don't see that static linking would help with this problem.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] why I like shared libraries -- no longer a popular position

[mwilson--- via talk]

> 
>
> A bug was found  (painfully -- a zero day) in Apple's Safari and
> (separately) in  Google's Chrome.  This is a pretty serious bug -- it was
> used to spy on an opposition politician in Egypt.
>
> It is the same bug, and this was not reported.
>
> It turns out that the bug is in libwebp.  "WebP codec is a library to
> encode and decode images in WebP format."
>
> libwebp is used in a lot of programs.  On my Fedora 38 system, it is a
> shared library so it can be fixed in one update.  Except where the library
> is copied (for example, statically linked, or used in a container of some
> sort).
>
> Electron is one thing that requires copies and the article lists a lot of
> applications built on Electron
>
> What a mess.  What a mistake.


By ‘shared libraries’ you don’t mean libsomething.so, right?  You mean
everybody in the world using code they got from “Somebody”.

I’m just a little worried these days about the new .avif format. 
ImageMagick handles it in the Debian12 distribution, but it hasn’t made it
to the current Raspberry Pi OS.  A libavif exists, but seems to be
controversial and hard to find.

Everybody’s choice of fallback seems to be libheif.  libheif depends on
libde265.  libde265 is said to have no dependencies, but wouldn’t (IIRC)
install without finding something involving SSL2.  Finally, ImageMagick
was built, but libheif won’t actually do anything without a separate
codec, which it can obtain from libaom.  The libaom  from a Google git
site throws up fatal compile errors.  So there I am.

So the question arose in my mind “What the heck IS this stuff?”

Since it’s 3AM and my mind is freewheeling I ponder “If I were a
well-funded system attacker, don’t new image file formats look like a fine
way to get everybody to install brand new kind-of-obscure library code
(libaom.so on Debian12 is 5 megabytes) without asking embarrassing
questions?”

---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk