Hacker News new | ask | show | jobs
by eeZah7Ux 2704 days ago
If anything, it hugely increases the risk of vulnerable libraries being built into the binary and forgotten.

Same with containers. Statistics clearly show the security impact.
2 comments
kbar13 2704 days ago
i dont see how that's true. in both worlds, a developer has to take the manual action to review published vulnerabilities and track down repos they own that are affected and upgrade the dependencies.
link
eeZah7Ux 2703 days ago
No: with dynamic linking, and especially with Linux distributions, most of the work is automated and the patching is done by the distribution security team.

The time to write a patch and deliver it to running systems goes down to days or, more often, hours.

link
cassianoleal 2704 days ago
Do you have a reference to such statistics? I'd love to use them as yet another reason against vendoring dependencies when I talk to colleagues.
link
viraptor 2704 days ago
https://blog.acolyer.org/2017/04/03/a-study-of-security-vuln...

Cautiously posting that link, because I'm not against vendoring. You just need a process around keeping your dependencies up to date / refreshed automatically. The ability to vendor is one thing, how you use it is another.

link
cassianoleal 2704 days ago
Thanks!

I agree with your statement, but what I usually see in real life is that once dependencies are vendored in they never change.

link
eeZah7Ux 2703 days ago
> You just need a process around keeping your dependencies up to date / refreshed automatically

That's what dynamic linking and Linux distributions are for.

link