[GTALUG] why I like shared libraries -- no longer a popular position

D. Hugh Redelmeier hugh at mimosa.com
Sat Sep 23 08:48:51 EDT 2023


| From: mwilson--- via talk <talk at gtalug.org>

| By ?shared libraries? you don?t mean libsomething.so, right?  You mean
| everybody in the world using code they got from ?Somebody?.

[What are the question marks that appear where other punctuation is
expected?  Did your mail get badly transcoded at some step?]

I mean the former.

The latter is scary, as you point out.
This is called a "supply chaing attack" these days.

We need a better way of pushing back at problems with suppliers.
Simply choosing not to adopt is good, but it would be better if you
could signal to others your concerns.  Shared critiquing.

But even for critiquing there is a "free riders" problem.  In the
worst case, everyone thinks everyone else is doing the work and nobody
does it.

| Since it?s 3AM and my mind is freewheeling I ponder ?If I were a
| well-funded system attacker, don?t new image file formats look like a fine
| way to get everybody to install brand new kind-of-obscure library code
| (libaom.so on Debian12 is 5 megabytes) without asking embarrassing
| questions??

Quite right.  A big concern.  I hide my head in the sand and assume
Red Hat vets the code it distributes.  The fact is that it is a very
hard problem to vet a small amount of code, let alone a whole distro.

The linux kernel requires that code contributors be registered.  I
think that contibutions must be cryptographically signed, but I'm not
sure.  This helps but isn't air-tight.

I don't see that static linking would help with this problem.


More information about the talk mailing list