AxWald wrote: ↑Mon Aug 30, 2021 10:27 am
Btw., Richard, do you know if there's plans for a mechanism to keep all those 3rd party libs up-to-date that any LC StandAlone contains?
I can't imagine why there wouldn't be. Seems little point to using third-party ecosystems if you're not using third-party ecosystems,
Once a StandAlone/APK is compiled these are out there, in fixed versions. Is there really no way but to recompile our projects & do fresh installs each time a fixed version of OpenSSL comes out, or the CEV is updated (and found its way into a new LC version)? Isn't it that, at the current state, ANY LC project out there, that's older but a few weeks, is a potential security risk?
As Jacque noted, with any software there's always a lag between source update and downstream patch availability.
The length of time between patch availability and updates to downstream tools that use it will vary, and there's an age-old debate between bundles and dependencies: bundles let a developer deliver standalone apps (like LC or Ubuntu's Snap delivery format), but at the cost of size and potential lag in component updates; dependencies allow an app to always use the most current components on the system, at the cost of what's commonly referred to as "DLL hell".
And even among OSes we see wide variance. A good example is the Ubuntu packaging team, where they've honed their process to be able to put new version of packages into their update system within one hour. A bad example is Apple's history of holding back patches until they complete other goals for the OS, delaying some updates by several weeks (though in all fairness, that criticism was a widely-discussed issue several years ago; hopefully they're no longer the slowest of the Big Three to push updates these days).
But then there are the cases where Apple has chosen not to provide package updates at all, often for licensing concerns (Apple seems to avoid anything using GPLv3, presumably for its patent protection clause). For example, rsync is currently at v3.2.3, but last I checked macOS hasn't updated since v2.6.9 from 2006. A lot of security-related issues have been addressed over the years, some flagged as critical.
Here's a list of outdated packages in macOS as of 2014 (if anyone here has a more recent list please post it):
https://robservatory.com/behind-os-xs-m ... nix-tools/
All that said, another consideration to balance timeliness of patching is upstream vulnerability. If a package has been compromised at the source, those quick to update will spread the vulnerability that much faster. Modern hacks are sometimes clever and not easy to review for all possible vulnerabilities. So while there have been famous cases of upstreams in npm and Python packages years ago that wreaked havoc when everyone rushed to get the latest build, more recently one of the most serious hacks in history occurred with a compromised component slipped into the build stream for the popular Solar Winds security package, allowing hostile nation state actors deep inside a large number of US and other government systems along with some of the biggest corporations in the world:
https://www.npr.org/2021/04/16/98543965 ... winds-hack
Patching is a delicate balancing act, and I'm not sure anyone gets it perfect. LC's ambitions seem to provide a reasonable balance at least as far as any bundle system (as opposed to DLL hell system) can go.