3023 stories
·
6 followers

The modern packager’s security nightmare

1 Share

One of the most important tasks of the distribution packager is to ensure that the software shipped to our users is free of security vulnerabilities. While finding and fixing the vulnerable code is usually considered upstream’s responsibility, the packager needs to ensure that all these fixes reach the end users ASAP. With the aid of central package management and dynamic linking, the Linux distributions have pretty much perfected the deployment of security fixes. Ideally, fixing a vulnerable dependency is as simple as patching a single shared library via the distribution’s automated update system.

Of course, this works only if the package in question is actually following good security practices. Over the years, many Linux distributions (at the very least, Debian, Fedora and Gentoo) have been fighting these bad practices with some success. However, today the times have changed. Today, for every 10 packages fixed, a completely new ecosystem emerges with the bad security practices at its central point. Go, Rust and to some extent Python are just a few examples of programming languages that have integrated the bad security practices into the very fabric of their existence, and recreated the same old problems in entirely new ways.

This post explains the issue packagers run into very well – and it sure does look like these newer platforms are not very good citizens. I know this isn’t related, but this gives me the same feelings and reservations as Flatpak, Snap, and similar tools.

Read the whole story
Sjon
4 days ago
reply
Share this story
Delete

Tesla Recalls Cars with EMMC Failures, Calls Part a ‘Wear Item’

1 Share

Article URL: https://hackaday.com/2021/02/11/tesla-recalls-cars-with-emmc-failures-calls-part-a-wear-item/

Comments URL: https://news.ycombinator.com/item?id=26103533

Points: 152

# Comments: 235

Read the whole story
Sjon
14 days ago
reply
Share this story
Delete

Why I Built Litestream

1 Share

Article URL: https://litestream.io/blog/why-i-built-litestream/

Comments URL: https://news.ycombinator.com/item?id=26103776

Points: 473

# Comments: 135

Read the whole story
Sjon
14 days ago
reply
Share this story
Delete

Police playing music while being filmed, seemingly to trigger copyright filters

1 Share

Article URL: https://www.vice.com/en/article/bvxb94/is-this-beverly-hills-cop-playing-sublimes-santeria-to-avoid-being-livestreamed

Comments URL: https://news.ycombinator.com/item?id=26082303

Points: 735

# Comments: 340

Read the whole story
Sjon
16 days ago
reply
Share this story
Delete

Sequencing your DNA with a USB dongle and open source code

1 Share

Article URL: https://stackoverflow.blog/2021/02/03/sequencing-your-dna-with-a-usb-dongle-and-open-source-code/

Comments URL: https://news.ycombinator.com/item?id=26014421

Points: 171

# Comments: 68

Read the whole story
Sjon
21 days ago
reply
Share this story
Delete

Why Robinhood disabled buys but not sells

1 Share

Article URL: https://stu2b50.dev/posts/why-robinhood-d3580b

Comments URL: https://news.ycombinator.com/item?id=25979673

Points: 510

# Comments: 540

Read the whole story
Sjon
25 days ago
reply
Share this story
Delete
Next Page of Stories