On 01.07.19 13:11, Kern Sibbald wrote: > Yes, this is a problem. I remember we discussed libs3 some time ago, > but I did not realize that it has a number of security issues.
I am no C/C++ wizard but just the fact that I need to disable about all checks and warnings a modern compiler has to even get the code to compile tells me as much as I need to know. Also looking at the commits after December 2016 tells the same, as there are several commits fixing memory leaks and buffer overflows. > Do you see any other alternative for a C/C++ than to use libs3? I'm sorry, unfortunately everybody seems to have forked and embedded libs3 at some point in the past and just uses that version for their projects, with all the problems it contains. Everyone else seems to use Rust or Go for their S3-based projects. :) > For other S3 vendors, Bacula Systems has resorted in using the vendor > supplied command line tools to access the their clouds. This gets > around the incompatibility of S3 implementations problems, but it opens > new problems in that the vendors typically supply binaries, and if they > have problems or bugs there is no way to fix them. So far, I have no > good solution to the problem. I would be interested in any of your > suggestions. I am afraid I really have none at the moment. > In fact, if I thought there were enough Bacula users using AWS S3, I > would even consider fixing and maintaining the libs3 package myself. Of > course that would be workable only if Debian and perhaps other vendors > would adopt such a project. The Debian policy allows for embedding libraries in special circumstances, for example if the forked code diverges enough from the library already in the Debian repository that using the existing one is difficult or impossible. (Besides, the current libs3 has no reverse dependencies and is essentially useless and should be removed.) There should be no problems if you fork libs3, fix it to meet modern security and coding standards and just embed it into Bacula to be statically linked to the SD or just the plugin. But since I am not DD/DM, take my words with caution. Grüße, Sven.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
