Mikel Olasagasti wrote: > Hau idatzi du Michael J Gruber (mjg@xxxxxxxxxxxxxxxxx) erabiltzaileak > (2025 urt. 20(a), al. (11:29)): > > > On a related note, I recently highlighted how the introduction of > > > Golang 1.24 has caused significant breakage in over 200 packages [3], > > > an issue that underscores the urgency of addressing these challenges. > > > > How would bundling alleviate this issue? By assuming that all upstreams > > have adjusted to Golang 1.24 already so that you don't have to wait for > > package updates but just pull in with your package? > > Many of the failing packages are source-only packages that are > required to build binary containing packages. If binary packages are > bundled, many of the failing source packages could be retired. So instead of one source-only package with format string bugs, there would be multiple bundled copies with those same format string bugs, which would all have to be updated – multiplied by over 200. Note that format string bugs are potential vulnerabilities, which Go programmers apparently weren't fixing until the tooling started forcing them. · Ideally all the upstreams will quickly make bugfix releases, all the using programs will update their bundled copies, and everything will work right away without any problems caused by API instability or the like. In this ideal case all the source-only packages can also be updated to the latest release without problems. There are tools that help make the ideal case quick and easy, so there's no problem for bundling to solve. · If upstreams release the bugfixes together with incompatible API changes, then the using programs must be adapted to those changes with or without bundling. API instability is always a problem. Bundling can hide the problem in other cases, by keeping old and vulnerable versions of bundled libraries, but when tools start rejecting vulnerable code, then bundling can't hide the problem anymore. Unless you bundle old versions of the entire toolchain in every package. · If nobody fixes the bugs, then the using programs will continue to fail to build, and will remain vulnerable in those cases where the bugs are exploitable. Bundling makes no difference in this case. · If the bugs must be patched downstream because upstreams don't fix them, that's when you want unbundled packages. Patching over 200 packages is certainly a lot of work, but patching multiple bundled copies is even more work. Thus I don't see how bundling would help with those format string bugs. Björn Persson
Attachment:
pgpWSQT61JpYi.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
