#1734 Many packages are not following the Guidelines for bundled libraries
Closed: Insufficient data 3 years ago Opened 3 years ago by maxamillion.

It was recently brought to my attention in a package review that there are many packages available in Fedora right now that are violating the Package Guidelines for Bundled Libraries by not specifying a version. This breaks the ability to properly audit this bundled source code. I would like to know how FESCo would like to proceed to resolve this.


Metadata Update from @maxamillion:
- Issue assigned to maxamillion

3 years ago

Metadata Update from @maxamillion:
- Assignee reset

3 years ago

This ticket runs afoul of a bug in python-markdown which prevents links with paths containing colons (which are actually not valid) from working properly. The actual link to the guidelines page is https://fedoraproject.org/wiki/Bundled_Libraries

My inclination would be to ask FPC to amend the guidelines to follow current practice ("rpm -q -a --provides|grep bundled") and allow unversioned bundles() provides.

Why? Two reasons:
- it can be hard to determine which code version exactly is bundled. If the upstream just imports some files, it'd be necessary to script tree-by-tree comparisons to upstream, which is not something we should ask packagers to do.
- I don't think versioned bundled() provides as actually all that useful. For some commonly bundled libraries that have a few well-specified versions, it is. But for a lot of the continuously and backwards-incompatibly changing stuff out there, the version is not strong enough to determine if an issue exists in the bundled code, and the only good approach is manual inspection of the bundled code or testing of the build. This is always in particular true for bundled code which has been modified from the upstream version.

Ultimately versioning of the bundled() Provides can be both very time consuming and not particularly useful.

(Do people have contradictory experiences: do you use the versions of bundled() Provides? If yes, which ones and how?)

(Do people have contradictory experiences: do you use the versions of bundled() Provides? If yes, which ones and how?)

The purpose of the "bundled()" tag is to enable us to have a means to identify packages using a bundled lib. This is useful in cases of "emergency", such as vulnerabilities in particular versions of a bundled library.

I know. But have you actually used it for that (or anything else)?

I know. But have you actually used it for that (or anything else)?

Yes, I have. However, I will admit I don't know if this is actually a common practice but from a Fedora Release Engineering standpoint, it's a hard requirement.

Can you shed some light on which packages / requires and when, and if the existing bundled() annotations were sufficient?

Can you shed some light on which packages / requires and when, and if the existing bundled() annotations were sufficient?

The historic precedent for all such cases it what had happened to libz (libbz2?) on Linux in the late 90s. At that time static linkage and bundling was the norm. Then a exploitable vulnerability was found in libz and fixed in a particular version. With no means present to identify affected or potentially affected packages, this had resulted into many distros not having being able to react quickly.

It was mere luck and basically only thanks to the fact the internet wasn't as ubiquitous as it is today yet, this didn't have dramatic consequences on security.

Longer term consequence was to discourage/ban static linkage and bundling, because this makes relevant deps visible at the package dep level. This has saved Linux from many issues for the last 20 years. Unfortunately, mankind seems to be unable to learn from history and mistakes are repeating (Hi FESCO, Kodi, Handbrake, ffmpeg, ... !) :-)

That said, packages I would expect to already have or soon be will having similar issues are all packages bundling encryption algorithms (They often are very small and thus bundled!), because certain implementations are known to be vulnerable.

Is something that happened almost a generation ago really the most recent example?

(For example, at some point I wanted to unbundle mathjax. I never got around to that, but if I did, being able to rpm -q --whatprovides bundled(mathjax) would be quite useful. But I would never check the versions — I'd just rip out the bundled versions and tested if things work with the shared package… So I'm looking for actual, semi-recent examples where the versions were used. After all, this is what this ticket is about.)

Can you shed some light on which packages / requires and when, and if the existing bundled() annotations were sufficient?

I'm sorry, I don't understand the question. What would you like provided?

A concrete and semi-recent example of actual use.

Metadata Update from @sgallagh:
- Issue close_status updated to: Insufficient data
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata