|
|
|
|
|
|
by ahupp
538 days ago
|
|
|
This is conflating static linking with how the distribution handles updates. If a language is always statically linking dependencies (like Go or Rust), the distribution will have to rebuild everything that depends on a patched package whether or not they are using the language's native tools or some import into the distro package system. What I'm specifically suggesting is: * Distributions package *binaries*, but not the individual libraries that those binaries depend on.
* Distributions mirror all dependencies, so that you can (in principle) have a completely offline copy of everything that goes into the distribution. Installing a binary uses the language-specific install tools to pull dependencies, targeting the distribution's mirror.
* Enough dependency tracking to know what needs to be rebuilt if there's a security update.
* Any outside dependencies (e.g openssl) will continue to depend on whatever the distribution packages.
* Dependencies are not globally installed, but use whatever isolation facilities the language has (so e.g, a venv for python, whatever npm does)
|
|
|
The problem here is upstream dev's saying "my dependency needs are absolute". And a security update ruins that: because as soon as one happens, now no matter what we're going to be replacing libraries anyway. Even your prosposal includes this: we're going to strip out openssl librares and use distro ones.
At which point everything might break anyway, because whether a security hole can be fixed at all depends on which versions of a library it affects and how. Not to mention problem's like finding the issue in one version, but it's changed enough that it's not clear whether a different version is impacted the same way.