Re: Limited security support for Go/Rust? Re ssh3
On Sun, Jan 14, 2024 at 04:24:57PM +0100, Simon Josefsson wrote:
> Isn't that what the text refers to? Vendoring and static linking are
> two examples of the same problem that the security team may encounter.
We accept vendoring of autoconf/automake/gnulib distro wide. Please
show practical problems with it? The result of autoconf and automake is
not embedded into the produced binaries, so a security vulnerability can
not go on. The vendoring of gnulib, well, is old and maybe you could
show that it is a problem in the sources that have it, aka they don't
handle security fixes and at the same time don't change the library.
> The problem with dependencies are more obvious for Go/Rust code but I
> think we always have had that problem anyway.
Here the problem is embedded into the language oekosystem itself. It is
not a choice of the software author to do static linking.
> As for solutions, isn't the solution to both vendoring or statical
> linking the obvious one? You will have to rebuild all packages that
> contain the security vulnerability.
I asked for practical solutions, not theoretical ones. We don't have a
suitable way to rebuild all packages just because right now.
> Maybe I'm missing how these two problems result in different problems
> for the security team?
You did not show that autoconf/automak/gnulib is a problem at all. And
a => b with a false gives no answer.
Bastian
--
Spock: The odds of surviving another attack are 13562190123 to 1, Captain.
Reply to: