The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.
@eighthave I agree completely. Unfortunately it seems like the Firefox package uses its own libwebp copy, because there was a separate Firefox security update
https://www.debian.org/security/2023/dsa-5496
and the package does not depend on libwepb7.
@frehi exactly, this is what Debian works hard to avoid, but #Google has refused to budge at all with #Chromium in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.
@eighthave Apparently there there is a --with-system-webp build option, looking at https://github.com/void-linux/void-packages/blob/master/srcpkgs/firefox/template
But I guess there is a good reason why Debian does not use it.
@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.
@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp https://salsa.debian.org/chromium-team/chromium/-/blob/master/debian/control
And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.
