On Sa, 30.03.24 18:56, Fedora Development ML (devel@xxxxxxxxxxxxxxxxxxxxxxx) wrote: > > In systemd git main, libsystemd is only linked to libc, libcap, > > and libgcrypt + libgpg-error. A pull request to convert that that last > > pair to dlopen is under review. > > That helps somewhat (it would have prevented this backdoor from working), > but it also makes things even less transparent: How do we know whether some > random sd_foobarify() function or some random foobard linked against > libsystemd will (always or ever (and when?)) end up dlopening liblzma or > not? > > Distribution packagers tend to dislike dlopen due to the hidden dependencies > it introduces. Well, this is certainly a valid point, but the solution is not to make all deps hard ones. Instead, in order to just make these deps visible I see multiple better alternatives: 1. teach Linux/ELF something inspired by MacOS's weak deps. i.e. allow ELF programs declare that some symbols shall be backed by some lib, but make it a weak dep that is only resolved on demand, and gracefully is set to NULL if the library cannot be found. If we had that, we'd stop using dlopen() for systemd's deps, since all we do is basically reimplement this concept manually. 2. without Linux/ELF supporting the above we could still teach systemd and other tools in similar situations to declare the dlopen deps they have in some ELF note or section, so that it can be processed by initrd generators, automatic dep generators in dpkg/rpm, ldd-like tools and everything else that wants this info. This would require some C macro magic, but could be added in probably just a few lines of codes added to relevant projects. Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
