The vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of . In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

@eighthave I agree completely. Unfortunately it seems like the Firefox package uses its own libwebp copy, because there was a separate Firefox security update
debian.org/security/2023/dsa-5
and the package does not depend on libwepb7.

Follow

@frehi exactly, this is what Debian works hard to avoid, but has refused to budge at all with in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.

@eighthave Apparently there there is a --with-system-webp build option, looking at github.com/void-linux/void-pac
But I guess there is a good reason why Debian does not use it.

@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.

@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp salsa.debian.org/chromium-team

And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.

@frehi @eighthave the reason is mostly that Debian backports the security fixes, not the entire library, and Firefox is notirious in requiring the absolute latest versions, so when Firefox LTS get backported they cannot work with the libs in the stable release within reasonable manpower. This is something to address on the Firefox level.

Using the vendored libs is a last resort "we have to get the Firefox update out there now" thing. Sometimes, the newer libraries are backported under different names which then just the backported newer browsers use, but not the regular packages in the stable release. But again this is not always possible, or possible to do in time.

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml