Extension Development :: Security Updates

Starting a new topic to keep the "compile issues" thread from being hijacked.

curaga re: my idea of packaging a zlib+ssl+ssh security update:

Quote

They are important, but what about all other stuff that has had security updates (png, jpeg, FF, glibc, etc. etc.)?

Those are also important and I also have libpng, ungif, etc., updated on my hard drive install. The differences between vulns in the image libs and the three I listed are like night and day: the vulns in the image libs are usually limited to causing crashes and DOS while the vulns in ssl/ssh present problems with MITM and other attacks that pilfer private data or make it easier to do so.

I'm not dismissing the severity of problems with other libs or apps. I'm just a lot more concerned about the integrity of the libraries and apps that protect my privacy and my data.

Quote

Just saying it might not be worth going for, as to be secure it would need a total overhaul.

"Going for" is already done on the three I listed; they just need to be stripped and packaged. And, as I noted, I could also submit the image libs as well if there's interest. Beyond that, you're right because it would take a lot of effort to patch it all and tiny core will be out soon with a fresher base and fewer things to keep an eye on. That's another reason I favored making DSL a lot more modular when Robert polled about it last year -- it'll make this issue a lot easier to manage going forward.

I guessed you'd say that, and I agree. It's not worth it trying to update the current DSL, but the tiny core will be different.

I personally would be interested in a .dsl that has an updated libpng, libjpeg, openssh, openssl and so forth. The gtk2 extensions have many updated libraries like that and it is pretty well proven they cause no problems with existing base apps or other extensions. If someone was building a non-gtk2 app that requires updated image libs it would be nice to have an extension containing such as to not have to include the updated libs in each extension. That as well as the security concerns with things such as ssl and ssh. Maybe an .dsl for image libs and a seperate one for ssl/ssh.

Quote

Maybe an .dsl for image libs and a seperate one for ssl/ssh.

That's kind of where I'm leaning but it may easier and simpler to manage if I put them all in one. I should have time to work on it this weekend, maybe sooner if I don't have to travel this week.

Update...

I was going to submit this all-in-one with SSL headers so other apps could be compiled against it. That would make it pretty big and unsuitable for users who just want the SSL/SSH/zlib updates. I'm holding back on these until I see what Robert is doing with tiny core. I only know he said he's using dropbear instead of SSH which means we'll need an OpenSSH and sshfs extension(s) for tiny core. Maybe the fuse module, too, if that's out of the base.

I don't know what version of SSL is in tiny core and if all of this will turn into many little pieces or one big package or if I need to separate the SSL headers from the rest so there's an update package and a dev package.

Next Page...
original here.