|
Message-ID: <ZRkAokgUEw9cD7yG@itl-email>
Date: Sun, 1 Oct 2023 01:16:01 -0400
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com
Subject: Re: Rust programs in distrbutions (Was:
CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)
On Sat, Sep 30, 2023 at 07:28:46PM -0400, Michael Orlitzky wrote:
> On Sat, 2023-09-30 at 13:00 -0400, Demi Marie Obenour wrote:
> > It is also worth noting that Rust-the-language supports dynamic linking.
> > Once Cargo supports this and downstreams (like Fedora) obtain sufficient
> > build capacity, it will be possible to use dynamic linking by performing
> > automatic cascading rebuilds whenever a package is upgraded. Arch
> > already does this for Haskell IIUC.
>
> We do it for Haskell in Gentoo, too, but we have a dark secret: it only
> works because Haskell became unpopular. There are basically only two
> Haskell programs, and everything works for n = 2.
Why would this not work for a more popular language like Rust? I know
that Gentoo is limited by the compute resources of a single machine, but
cascading rebuilds should not be a problem for modern distributed build
infrastructure, provided that the build clusters are sufficiently large.
Also, are the two programs GHC and Pandoc?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.