fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

Lest we forget the lessons of the XZ Utils backdoor, which was nearly a year ago now, I'll repost @ariadne's post about what we can learn from it: ariadne.space/2024/04/02/the-x

I was thinking about this today because I happened to look at the transitive dependencies of a program that uses libxml2, and noticed that Debian's build of libxml2 depends on liblzma (the library in XZ Utils where the backdoor was inserted).

ariadne.spaceThe XZ Utils backdoor is a symptom of a larger problemBy Ariadne Conill

I think we should normalize building libraries with just the features required by a particular application, which is something that Debian and most distros definitely don't do. At the same time, if I build everything from source, I'm responsible for all the security updates.

Then again, if a library is built with all unnecessary features and transitive dependencies eliminated, then depending on the library and the transitive dependencies, perhaps a lot of security updates become irrelevant.

Thinking about all this as I consider whether to build ffmpeg from source with minimal features. Perhaps ffmpeg is one of the worst offenders when it comes to "junk drawer" libraries as discussed in the article.

@matt i don't think ffmpeg fits the definition of a junk drawer, such as it is, because those transitive dependencies are the core reason you use ffmpeg. they're not really side functionality, it's stuff needed to support the wide range of features ffmpeg has.

@matt libsystemd accumulating a dependency on libxz in a highly load-bearing binary, just because it's got some weird feature used in one place is very different from ffmpeg having a dependency on libxz so it can decode and encode video containers

@dotstdy @matt yeah i agree that ffmpeg isn’t what i had in mind when i was thinking about junk drawer libraries.

at least to me, a junk drawer library is one where a bunch of unrelated concerns have been amalgamated.

for example, libsystemd and glib (the GNOME base library, not glibc) fits this definition of junk drawer libraries, but libavcodec and friends wouldn’t, as they are concern-specific.

@jannem @dotstdy @matt ehh, for the most part, glibc doesn’t deviate too much from POSIX and ISO C runtime functions

yes, there is stupid shit like strfry(3) but it’s not really the same thing. you’re pulling in glibc because you need a C runtime, and that’s the one you already have.

different than pulling in libsystemd for sd_notify()