Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Sat, Sep 30, 2023 at 07:28:46PM -0400, Michael Orlitzky wrote:
> On Sat, 2023-09-30 at 13:00 -0400, Demi Marie Obenour wrote:
> > It is also worth noting that Rust-the-language supports dynamic linking.
> > Once Cargo supports this and downstreams (like Fedora) obtain sufficient
> > build capacity, it will be possible to use dynamic linking by performing
> > automatic cascading rebuilds whenever a package is upgraded.  Arch
> > already does this for Haskell IIUC.
>
> We do it for Haskell in Gentoo, too, but we have a dark secret: it only
> works because Haskell became unpopular. There are basically only two
> Haskell programs, and everything works for n = 2.

Why would this not work for a more popular language like Rust?  I know
that Gentoo is limited by the compute resources of a single machine, but
cascading rebuilds should not be a problem for modern distributed build
infrastructure, provided that the build clusters are sufficiently large.

Also, are the two programs GHC and Pandoc?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: