fsebugoutzone.org:9999

       Post Aa9VxPbYMuY1P9x54S by frehi@fosstodon.org
 (DIR) More posts by frehi@fosstodon.org
 (DIR) Post #Aa9UZ6qmLUFwKovBOi by eighthave@social.librem.one
       2023-09-26T07:18:21Z
       
       1 likes, 4 repeats
       
       The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the &quot;distro&quot; approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.
       
 (DIR) Post #Aa9VxPbYMuY1P9x54S by frehi@fosstodon.org
       2023-09-26T07:43:44Z
       
       0 likes, 0 repeats
       
       @eighthave I agree completely. Unfortunately it seems like the Firefox package uses its own libwebp copy, because there was a separate Firefox security updatehttps://www.debian.org/security/2023/dsa-5496and the package does not depend on libwepb7.
       
 (DIR) Post #Aa9VxQemSOiufSTAjw by eighthave@social.librem.one
       2023-09-26T07:47:22Z
       
       1 likes, 0 repeats
       
       @frehi exactly, this is what Debian works hard to avoid, but #Google has refused to budge at all with #Chromium in this regard. They make it impossible to build in the distro style, with shared libraries, etc..  It must be all statically linked with everything from its own source package.  Looks like Firefox also has started to go this route, though historically, they&#39;ve had a more flexible build that was less hostile to distros.
       
 (DIR) Post #Aa9Wgu3jzAgotCpPWK by niclas@angrytoday.com
       2023-09-26T07:57:05Z
       
       0 likes, 0 repeats
       
       @eighthave And the underlying reason for rejecting the distro model is that &quot;You can&#39;t have the shiniest new thing, and not be part of the Cool Kids Club.&quot;
       
 (DIR) Post #Aa9XtrNFNgSWHOh6ae by jr@social.anoxinon.de
       2023-09-26T08:10:38Z
       
       0 likes, 0 repeats
       
       @niclas @eighthave maybe just use a rolling release distro then?
       
 (DIR) Post #Aa9cn8mYl67W0w9K3U by niclas@angrytoday.com
       2023-09-26T09:05:28Z
       
       0 likes, 0 repeats
       
       @jr I was more referring to rapid turnover of client-side web frameworks over the last 10 years. By the time distros discover that a lot of people are using X, X is on the way out by the Cool Kids and they are moving on...A bit of an exaggeration, but there is some truth to it. I was the same 20 years ago. @eighthave