| From: mwilson--- via talk <talk@gtalug.org> | By ?shared libraries? you don?t mean libsomething.so, right? You mean | everybody in the world using code they got from ?Somebody?.
[What are the question marks that appear where other punctuation is expected? Did your mail get badly transcoded at some step?] I mean the former. The latter is scary, as you point out. This is called a "supply chaing attack" these days. We need a better way of pushing back at problems with suppliers. Simply choosing not to adopt is good, but it would be better if you could signal to others your concerns. Shared critiquing. But even for critiquing there is a "free riders" problem. In the worst case, everyone thinks everyone else is doing the work and nobody does it. | Since it?s 3AM and my mind is freewheeling I ponder ?If I were a | well-funded system attacker, don?t new image file formats look like a fine | way to get everybody to install brand new kind-of-obscure library code | (libaom.so on Debian12 is 5 megabytes) without asking embarrassing | questions?? Quite right. A big concern. I hide my head in the sand and assume Red Hat vets the code it distributes. The fact is that it is a very hard problem to vet a small amount of code, let alone a whole distro. The linux kernel requires that code contributors be registered. I think that contibutions must be cryptographically signed, but I'm not sure. This helps but isn't air-tight. I don't see that static linking would help with this problem. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
