Depending on countless hours of work from volunteers to maintain an OS-level package for every library dependency seems untenable to me.
What's worse is having the build system just link in whatever happens to be installed on your system as an application dependency, simply because pkg-config happened to detect it. I think this is an archaic and unreliable way to compile software. This isn't hypothetical either. I just fought this issue (on Windows) with a new version of libcurl linking in libidn2 that was installed by Strawberry Perl because pkg-config found it. I had no intention of linking some random version of libidn2 and might've accidentally bundled it into the Windows installer and shipped it if there hadn't been a compatibility issue. My stance at this time is that I would rather statically link the right versions of the required dependencies and have to recompile the application if it is affected by a CVE. I can appreciate that it saves compute if you have multiple applications using the same shared lib and you only have to rebuild the shared lib. And again, libcurl is probably a great example there where everyone uses it, and it's huge, and it seems to have a new CVE like every 12 weeks. So, I do I get that. But in most cases, I don't believe that's worth the burden of tracking down bugs due to unreproducible C/C++ build system technology, and maintaining all those extra packages. Micah Snyder (they/them) ClamAV Development Talos Cisco Systems, Inc. H ________________________________ From: Michael Orlitzky <mich...@orlitzky.com> Sent: Thursday, September 5, 2024 11:35 AM To: Micah Snyder (micasnyd) <micas...@cisco.com>; clamav-users@lists.clamav.net <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] ClamAV 1.4.1, 1.3.2, 1.0.7, and 0.103.12 security patch versions published On Thu, 2024-09-05 at 15:27 +0000, Micah Snyder (micasnyd) wrote: > Michael, > > We didn't change anything in under /libclamav/regex in 0.103.12. This is > unrelated to the release. > > But also... We maintain 0.103 for folks who can't upgrade to newer major > versions of software. > gcc-14.2 is from Aug 1, 2024 (aka very new software). I know, that's why I mentioned that it looks relevant in git HEAD :P > So why bother with 0.103? Just avoiding the build system changes from > Autotools to CMake + Rust? CMake is fine, but bypassing my package manager to bundle old versions of libraries into a daemon (i.e. the way all rust packages work) meant to handle malicious input is a deal-breaker.
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
