Announcement

Collapse
No announcement yet.

Fedora Moves Ahead With Plans To Drop Packages Having Bad Security Practices

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora Moves Ahead With Plans To Drop Packages Having Bad Security Practices

    Phoronix: Fedora Moves Ahead With Plans To Drop Packages Having Bad Security Practices

    The Fedora Engineering and Steering Committee (FESCo) has signed off on plans to drop packages with consistently bad security records...

    http://www.phoronix.com/scan.php?pag...rcing-Security

  • #2
    get rid of gstreamer-0.10 series, for a start, but that will never happen with Fedora

    Comment


    • #3
      Originally posted by Anvil View Post
      get rid of gstreamer-0.10 series
      Please link to the bug that fulfills the criteria:
      "If a CRITICAL or IMPORTANT security issue is currently open against a package, or a security issue of lower severity has been open for at least 6 months."

      Comment


      • #4
        Originally posted by DanL View Post

        Please link to the bug that fulfills the criteria:
        "If a CRITICAL or IMPORTANT security issue is currently open against a package, or a security issue of lower severity has been open for at least 6 months."
        Fedora tried to get rid of that gstreamer series some releases ago due to security issues witrh it. , afaik though they cant drop it due to other packagesa depending on that gstreamer series , ( soundconverter 3.0.0 ) should no longer depend on gstreamer0-10 series where as the previous ones did. , there was something said about why gstreamer0-10 series in i think the devel-mailing list. but all you'd have to do is check in dnf what packages still depend on gstreamer0-10.

        here is the list https://lists.fedoraproject.org/arch...E7JPR47UQABAV/
        Last edited by Anvil; 08-27-2018, 10:24 PM.

        Comment


        • #5
          Originally posted by Anvil
          Your link makes reference to one vulnerability, which has been fixed.
          https://bugzilla.redhat.com/show_bug.cgi?id=1397443

          Try again.

          Comment


          • #6
            They need to ditch pycrypto, which is bug-ridden and unmaintained.
            https://www.cvedetails.com/product/2...endor_id=11993

            There is already pycryptodomex, which is unfortunately installed in parallel. They need to replace it entirely with pycryptodome (without -x).

            Comment


            • #7
              See guys? finite9 you might be interested in this. From the other thread about why flatpak is needed and why the current distro packaging sucks, this is the perfect proof.

              No, it's not about these packages and it's not about the security implications at all that I'm speaking about. It's a far broader point: packages of your application (basically, your app's distribution itself) get dropped at the decision of someone else. That's why it's not sane and no dev wants it.

              If they do this, surely they can find tons of other reasons to drop anything else, without the application author having a say whatsoever.


              Unfortunately I just realized that ELF is so bad and broken that not even flatpak can save it in some cases. Think of running a DAW like Reaper on Linux, which uses GTK3. Let's say you have flatpak with Reaper and all is well. Now try loading a GTK2 plugin in it.

              Nope, not gonna happen, because of ELF. Running Reaper in Wine solves this completely. Windows has no such issue, neither does Wine, because they both use something sane called PE/COFF/DLLs.

              There's nothing flatpak can do about it. At this point, ELF needs to get scrapped and Linux either needs to support DLLs, or FORCEFULLY demand that all libraries use symbol versioning.

              Comment


              • #8
                Originally posted by Weasel View Post
                Windows has no such issue, neither does Wine, because they both use something sane called PE/COFF/DLLs.
                First time I've ever seen DLLs called "sane".
                Last edited by mulenmar; 08-28-2018, 11:20 AM.

                Comment


                • #9
                  Originally posted by Weasel View Post
                  See guys? finite9 you might be interested in this. From the other thread about why flatpak is needed and why the current distro packaging sucks, this is the perfect proof.

                  No, it's not about these packages and it's not about the security implications at all that I'm speaking about. It's a far broader point: packages of your application (basically, your app's distribution itself) get dropped at the decision of someone else. That's why it's not sane and no dev wants it.

                  If they do this, surely they can find tons of other reasons to drop anything else, without the application author having a say whatsoever.


                  Unfortunately I just realized that ELF is so bad and broken that not even flatpak can save it in some cases. Think of running a DAW like Reaper on Linux, which uses GTK3. Let's say you have flatpak with Reaper and all is well. Now try loading a GTK2 plugin in it.

                  Nope, not gonna happen, because of ELF. Running Reaper in Wine solves this completely. Windows has no such issue, neither does Wine, because they both use something sane called PE/COFF/DLLs.

                  There's nothing flatpak can do about it. At this point, ELF needs to get scrapped and Linux either needs to support DLLs, or FORCEFULLY demand that all libraries use symbol versioning.
                  This is so warped, delusional, and misinformed that all I can do is roll my eyes and move on.

                  Comment


                  • #10
                    Originally posted by Weasel View Post
                    See guys? finite9 you might be interested in this. From the other thread about why flatpak is needed and why the current distro packaging sucks, this is the perfect proof.

                    No, it's not about these packages and it's not about the security implications at all that I'm speaking about. It's a far broader point: packages of your application (basically, your app's distribution itself) get dropped at the decision of someone else. That's why it's not sane and no dev wants it.

                    If they do this, surely they can find tons of other reasons to drop anything else, without the application author having a say whatsoever.
                    You don't need Flatpak or Snap or some other similar technology to distribute your own software, you can do that using the existing package management systems, and several software projects have been doing that for a very long time.

                    Originally posted by Weasel View Post
                    See guys? finite9Unfortunately I just realized that ELF is so bad and broken that not even flatpak can save it in some cases. Think of running a DAW like Reaper on Linux, which uses GTK3. Let's say you have flatpak with Reaper and all is well. Now try loading a GTK2 plugin in it.

                    Nope, not gonna happen, because of ELF. Running Reaper in Wine solves this completely. Windows has no such issue, neither does Wine, because they both use something sane called PE/COFF/DLLs.

                    There's nothing flatpak can do about it. At this point, ELF needs to get scrapped and Linux either needs to support DLLs, or FORCEFULLY demand that all libraries use symbol versioning.
                    This has nothing to do with ELF vs. PE/COFF.

                    Also, why does Reaper let plugins load/use their own GUI library into the same process? That seems like a bad design…
                    And Reaper seems to use its own GUI library and not Gtk for its main window?

                    Comment

                    Working...
                    X