On Wed, Feb 15, 2023 at 09:13:06AM +0100, Nicolas George wrote: [...]
> > In a distro, applications have to get along with each other, agree > > on a common set of libraries, file system layout, etc. I think this > > is a Good Thing. Every app carrying its own little distro is like > > neoliberal hell. No wonder it uses up more resources ;-D > > I agree with that. The memory impact of code is probably not that big > compared to the carelessness of applications with their memory > management for data. Right: this was stretching the analogy a bit. In real life, that's what happens to resources, too. > But there is an even worse side to these pseudo-package managers: > updates. > > Now that everybody is responsible for packaging there own applications > with all its libraries, if a bug is found in an application, you can > hope its author will issue an updated package. > > But do you trust the developers of all the applications you use to make > updates every time a bug, including a security issue, is found in any of > the embedded libraries? Yes, that's another technical aspect. Imagine you have 17 slightly different versions of libc spread across your Flatlands. Imagine further that some big, fat CVE turns up, affecting 15 of those 17 (the other two are perhaps too old). Of those 15, two upstream "vendors" have gone bust, another one was a private person and has lost interest. Another was picked up by some sleazy malicious actor who is eagerly waiting for you to push the update button (yeah, that does happen [1] in npm world!). All that said, I was more interested in the sociological structure of the whole thing, because it looks like a mirror image of that "collective" vs. "individual" from political life, which we as humankind haven't managed to solve for the last millenia, take or give :-) Cheers [1] https://www.synopsys.com/blogs/software-security/malicious-dependency-supply-chain/ -- t
signature.asc
Description: PGP signature
