People discovered that there was an NP-complete problem with competing
versions of library functions, but instead of addressing it, they kluged
around it with static linking, snaps and flatpacks. And ended up with a
different problem, as Hugh noted.
When faced with a NP-complete problem, one constructs your system so as
to not have it. Don't hack up workarounds that add new problems. I
pitched that to the Go community back in 2018,
https://leaflessca.wordpress.com/2018/09/03/avoiding-an-np-complete-problem-by-recycling-multics-answer/
but they didn't hear it.
--dave
On 9/23/23 00:18, D. Hugh Redelmeier via talk wrote:
<https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/>
A bug was found (painfully -- a zero day) in Apple's Safari and
(separately) in Google's Chrome. This is a pretty serious bug -- it was
used to spy on an opposition politician in Egypt.
It is the same bug, and this was not reported.
It turns out that the bug is in libwebp. "WebP codec is a library to
encode and decode images in WebP format."
libwebp is used in a lot of programs. On my Fedora 38 system, it is a
shared library so it can be fixed in one update. Except where the library
is copied (for example, statically linked, or used in a container of some
sort).
Electron is one thing that requires copies and the article lists a lot of
applications built on Electron
What a mess. What a mistake.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
