Rich Freeman via plug on 2 Apr 2024 15:44:02 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] XZ scanner 

On Tue, Apr 2, 2024 at 4:47 PM Steve Litt via plug
<plug@lists.phillylinux.org> wrote:
>
> "Reinventing the wheel" is a cute and persuasive phrase for
> trivializing developers who code their own rather than gleaning other
> peoples' code (OPC) far and wide, but for the past several years the OPC
> caused complexification with its attendant voluminous attack surface
> has been on full display.

This is why everybody and their uncle was writing their own bubble
sorts until standard libraries started including a way to sort
collections.  You're just trading one set of problems for another.

> >Even on something like the kernel or
> >a browser I bet you could slowly work your contributors in such that
> >they become the majority of eyeballs in a single subsystem and become
> >trusted to get code far enough along the QA process that it doesn't
> >get as much close attention.
>
> Yes. This is what happens when software gets big, ugly, entangled, and
> poorly designed.

Uh, how would you fix Linux or any of the modern browsers so that they
aren't "poorly designed?"

Complex software isn't inherently bad.  It is just beyond the total
comprehension of a single developer.

It really doesn't matter if you split it up into 100 simpler parts,
you still have the same problem that those parts need to trust each
other to work.  After all, this issue occurred in a library that is
fairly simple already, and if you just re-implemented it dozens of
times that is just dozens of more places where somebody could have
implanted the same bug and nobody would have noticed, since it would
have been just as obscure as a fragment of a larger program.

> So let's not make it easy for them. Before incorporating a library,
> everyone should ask:
>
> * Are the library's features worth the complexification and magnified
>   attack surface?
> * How easy would it be to achieve the desired outcome, perhaps in a
>   different form, with a reasonable number of lines of first person
>   code?

Uh, just how easy do you think it is to implement your own lzma
decompressor, and what is the likely result if you get something
subtly wrong?

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug