oss-sec mailing list archives
Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Sun, 1 Oct 2023 01:16:01 -0400
On Sat, Sep 30, 2023 at 07:28:46PM -0400, Michael Orlitzky wrote:
On Sat, 2023-09-30 at 13:00 -0400, Demi Marie Obenour wrote:It is also worth noting that Rust-the-language supports dynamic linking. Once Cargo supports this and downstreams (like Fedora) obtain sufficient build capacity, it will be possible to use dynamic linking by performing automatic cascading rebuilds whenever a package is upgraded. Arch already does this for Haskell IIUC.We do it for Haskell in Gentoo, too, but we have a dark secret: it only works because Haskell became unpopular. There are basically only two Haskell programs, and everything works for n = 2.
Why would this not work for a more popular language like Rust? I know that Gentoo is limited by the compute resources of a single machine, but cascading rebuilds should not be a problem for modern distributed build infrastructure, provided that the build clusters are sufficiently large. Also, are the two programs GHC and Pandoc? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Demi Marie Obenour (Oct 01)
- Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Michael Orlitzky (Oct 02)