The vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of . In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

@eighthave I agree completely. Unfortunately it seems like the Firefox package uses its own libwebp copy, because there was a separate Firefox security update
debian.org/security/2023/dsa-5
and the package does not depend on libwepb7.

@frehi exactly, this is what Debian works hard to avoid, but has refused to budge at all with in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.

@eighthave Apparently there there is a --with-system-webp build option, looking at github.com/void-linux/void-pac
But I guess there is a good reason why Debian does not use it.

Follow

@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.

@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp salsa.debian.org/chromium-team

And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml