[Mageia-dev] About syslinux & libpng

Thu Oct 6 00:53:56 CEST 2011

Le mardi 04 octobre 2011 à 17:24 +0200, Guillaume Rousse a écrit :
+> Le 04/10/2011 16:50, Michael scherer a écrit :
+> > On Tue, Oct 04, 2011 at 11:30:29AM +0200, Buchan Milne wrote:
+> >> On Monday, 3 October 2011 15:58:36 Michael Scherer wrote:
+> >>
+> >>> Except if I start to replace this by "here is a nice syslinux boot image
+> >>> with a duck". And then my code is run by syslinux, just because someone
+> >>> took my png picture.
+> >>
+> >> And the same person could say, "Here is my cool plymouth splash screen, use my
+> >> initrd", and there are 1000 easier ways to exploit this (than trying to
+> >> generate a PNG image with exploit code that someone would like enough to use
+> >> syslinux).
+> >
+> > Sure, but we can also upload the pics on some gnome-art or something like that.
+> >
+> > Now, if we consider every possible exploit requires opening a document as a non
+> > problem, I guess it would surely reduce our workload on security issue, and
+> > for sure enhance the confidence.
+> Those situations are not really comparable. Opening a document with the 
+> corresponding application is a normal usage scenario, whereas 
+> configuring the boot process is a system administration scenario, 
+> requiring explicit context change.
+
+This depend on the ease of use. If we have something easy to use to
+change the boot process, I would not consider that as a system
+administration task ( at least, that's not what i do as a sysadmin most
+of the time ).
+
+And the question is that if we start to have exception for boot process
+because that's too complex to do, and because there is likely no
+problem, we are just being lazy. That would not be the first time, nor
+the last, and I do not think we will get ride of bundled libraries
+( since more expert community with more people have trouble to do that,
+and we already traded sanity for convenience the day we packaged firefox
+and chrome ), but not even trying will just make things worst in the
+future.
+
+> > And while I was not aware of it when I wrote my mail, it already happened :
+> >
+> > MDKSA-2006:210
+> Nobody said it didn't happened, just than forcing build against system 
+> version of the library would requires more effort right now, without 
+> avoiding the need to also rebuild syslinux in case of vulnerability in 
+> libpng, as it is statically linked. It would just make easier to track 
+> vulnerability by having a single version, and avoid to patch twice.
+
+Which is already useful by itself. 
+
+If it requires more work for now, that's also because everybody think
+"someone else should do it, I will see later". Maybe next time, we
+should not push a newer version of anything, and let the other do the
+work. This worked fine for Mageia 1, this worked fine for Debian, so
+maybe we could just go that way if that's easier. 
+
+But in the same time pushing latest version of low level and higher
+level component and then complain this make work is just wrong.
+
+Packager like to push newer stuff, except when it mean work for them
+( like mass rebuild and fixing, like gnutls, libpng, python ). That's
+not consistent.
+-- 
+Michael Scherer
+
+