Re: Proposal for how to deal with Go/Rust/etc security bugs

To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Proposal for how to deal with Go/Rust/etc security bugs
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 25 Jan 2024 18:14:57 +0000
Message-id: <[🔎] CAMw=ZnTwMxCd2n_ZSu49d0_01-=swsw7ggoXPO+yXZketZxJvA@mail.gmail.com>
In-reply-to: <[🔎] 87fryl5r70.fsf@hope.eyrie.org>
References: <1fe67b9f-f332-4239-9f96-3d780c0e8106@debian.org> <ZZARdHGmUlUZZa0o@riva.ucam.org> <87cyup5mix.fsf@kaka.sjd.se> <a9c550619c1944fe6db7ea33b27774e0f8d75e6e.camel@posteo.de> <[🔎] 874jfgtffd.fsf_-_@kaka.sjd.se> <[🔎] 20240114111729.rhi7eekkd3h5fpjg@shell.thinkmo.de> <[🔎] 87v87wrl86.fsf@kaka.sjd.se> <[🔎] 20240115091717.tl2rif5mfnz7bwvp@shell.thinkmo.de> <[🔎] ec4237994fdf9ba540a7d31ba7521a53da0b091f.camel@debian.org> <[🔎] 87r0ihegzh.fsf@kaka.sjd.se> <[🔎] CAJxTCxyXODCUkoqBSGVdE28fW4V0OZZm62DGjQHbwU5gF+Q98g@mail.gmail.com> <[🔎] 7ffc4554fca50b778c228fb498cd9f0747e0d983.camel@josefsson.org> <[🔎] 871qa7xh2w.fsf_-_@kaka.sjd.se> <[🔎] CAMw=ZnQHdPx5Rdzvd3pHF_BMv+u7EGAjkE+A_mF7cOL_B2ZgjA@mail.gmail.com> <[🔎] 875xzix6bv.fsf@kaka.sjd.se> <[🔎] 87fryl5r70.fsf@hope.eyrie.org>

On Thu, 25 Jan 2024 at 16:11, Russ Allbery <rra@debian.org> wrote:
>
> Simon Josefsson <simon@josefsson.org> writes:
>
> > I want to explore if there is a possibility to change status quo, and
> > what would be required to do so.
>
> > Given how often gnulib is vendored for C code in Debian, and other
> > similar examples, I don't think of this problem as purely a Go/Rust
> > problem.  The parallel argument that we should not support coreutils,
> > sed, tar, gzip etc because they included vendored copies of gnulib code
> > is not reasonable.
>
> Since there are now a bunch of messages on this thread of people grumbling
> about Rust and Go and semi-proposing not even trying to package that
> software (and presumably removing python3-cryptography and everything that
> depends on it? I'm not sure where people think this argument is going), I
> wanted to counterbalance that by saying I completely agree with Simon's
> exploration here.
>
> Rebuilding a bunch of software after a security fix is not a completely
> intractable problem that we have no idea how to even approach.  It's just
> CPU cycles and good metadata plus ensuring that our software can be
> rebuilt, something that we already promise.  Some aspects of making this
> work will doubtless be *annoying*, but it doesn't seem outside of our
> capabilities as a project.

Well, CPu cycles and metadata are not quite the whole story though. It
also takes a huge amount of extra engineering effort, both one-time to
completely rearchitect and reimplement the build and release
infrastructures to deal with this at scale, and ongoing to maintain
the additional complexities for the rest of the project's life. As you
well know, developers time is by far the scarcest resource of them
all.
Also, it means downloading and installing GBs of packages on every
security update, instead of a few KBs, for every user. While not as
bad as the resource issue, it's still not great.

Finally, as an opinion, quite frankly, it's not a very good design.
You can already run a distribution that does static linking for
everything and requires rebuilding the whole universe and then some
every time there's a one character change anywhere - take Yocto and
configure it to use Musl. Having used it for a long time now, it's
_really_ not good and I wouldn't recommend it to anybody. Matter of
taste of course.

Reply to:

References:
- Limited security support for Go/Rust? Re ssh3
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Bastian Blank <waldi@debian.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Bastian Blank <waldi@debian.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Paul Wise <pabs@debian.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Jérémy Lal <kapouer@melix.org>
- Re: Limited security support for Go/Rust? Re ssh3
  - From: Simon Josefsson <simon@josefsson.org>
- Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)
  - From: Luca Boccassi <bluca@debian.org>
- Re: Proposal for how to deal with Go/Rust/etc security bugs
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Proposal for how to deal with Go/Rust/etc security bugs
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Proposal for how to deal with Go/Rust/etc security bugs
Next by Date: Re: Understanding what's missing for Rust dynamic linking (was: Proposal for how to deal with Go/Rust/etc security bugs)
Previous by thread: Re: Proposal for how to deal with Go/Rust/etc security bugs
Next by thread: Re: Proposal for how to deal with Go/Rust/etc security bugs
Index(es):
- Date
- Thread