[GTALUG] why I like shared libraries -- no longer a popular position
David Collier-Brown
davec-b at rogers.com
Sun Sep 24 08:23:44 EDT 2023
People discovered that there was an NP-complete problem with competing
versions of library functions, but instead of addressing it, they kluged
around it with static linking, snaps and flatpacks. And ended up with a
different problem, as Hugh noted.
When faced with a NP-complete problem, one constructs your system so as
to not have it. Don't hack up workarounds that add new problems. I
pitched that to the Go community back in 2018,
https://leaflessca.wordpress.com/2018/09/03/avoiding-an-np-complete-problem-by-recycling-multics-answer/
but they didn't hear it.
--dave
On 9/23/23 00:18, D. Hugh Redelmeier via talk wrote:
> <https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/>
>
> A bug was found (painfully -- a zero day) in Apple's Safari and
> (separately) in Google's Chrome. This is a pretty serious bug -- it was
> used to spy on an opposition politician in Egypt.
>
> It is the same bug, and this was not reported.
>
> It turns out that the bug is in libwebp. "WebP codec is a library to
> encode and decode images in WebP format."
>
> libwebp is used in a lot of programs. On my Fedora 38 system, it is a
> shared library so it can be fixed in one update. Except where the library
> is copied (for example, statically linked, or used in a container of some
> sort).
>
> Electron is one thing that requires copies and the article lists a lot of
> applications built on Electron
>
> What a mess. What a mistake.
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
More information about the talk
mailing list