One of the essential duties of the distribution packager is to make sure that the software program shipped to our customers is freed from safety vulnerabilities. Whereas discovering and fixing the susceptible code is normally thought of upstream’s accountability, the packager wants to make sure that all these fixes attain the top customers ASAP. With the help of central package deal administration and dynamic linking, the Linux distributions have just about perfected the deployment of safety fixes. Ideally, fixing a susceptible dependency is so simple as patching a single shared library by way of the distribution’s automated replace system.
After all, this works provided that the package deal in query is definitely following good safety practices. Through the years, many Linux distributions (on the very least, Debian, Fedora and Gentoo) have been combating these unhealthy practices with some success. Nevertheless, at present the occasions have modified. Immediately, for each 10 packages fastened, a totally new ecosystem emerges with the unhealthy safety practices at its central level. Go, Rust and to some extent Python are only a few examples of programming languages which have built-in the unhealthy safety practices into the very cloth of their existence, and recreated the identical outdated issues in solely new methods.
This submit explains the difficulty packagers run into very nicely – and it positive does appear like these newer platforms aren’t superb residents. I do know this isn’t associated, however this provides me the identical emotions and reservations as Flatpak, Snap, and related instruments.