lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 3 May 2021 10:38:12 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     "Maciej W. Rozycki" <macro@...am.me.uk>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Tom Stellard <tstellar@...hat.com>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        clang-built-linux <clang-built-linux@...glegroups.com>,
        Fangrui Song <maskray@...gle.com>,
        Serge Guelton <sguelton@...hat.com>,
        Sylvestre Ledru <sylvestre@...illa.com>
Subject: Re: Very slow clang kernel config ..

On Mon, May 03, 2021 at 03:03:31AM +0200, Maciej W. Rozycki wrote:
> 
> People went through great efforts to support shared libraries, sacrificed
> performance for it even back then when the computing power was much lower
> than nowadays.

That was because memory was *incredibly* restrictive in those days.
My first Linux server had one gig of memory, and so shared libraries
provided a huge performance boost --- because otherwise systems would
be swapping or paging their brains out.

However, these days, many if not most developers aren't capable of the
discpline needed to maintained the ABI stability needed for shared
libraries to work well.  I can think several packages where if you
used shared libraries, the major version number would need to be
bumped at every releases, because people don't know how to spell ABI,
never mind be able to *preserve* ABI.  Heck, it's the same reason that
we don't promise kernel ABI compatibility for kernel modules!

https://www.kernel.org/doc/Documentation/process/stable-api-nonsense.rst

And in the case of Debian, use of shared libraries means that every
time you release a new version of, say, f2fs-tools, things can get
stalled for months or in one case, over a year, due to the new package
review process (a shared library version bump means a new binary
package, and that in turn requires a full review of the entire source
package for GPL compliance from scratch, and f2fs-tools has bumped
their shared library major version *every* *single* *release*) ---
during which time, security bug fixes were being held up due to the
new package review tarpit.

If people could actually guarantee stable ABI's, then shared libraries
might make sense.  E2fsprogs hasn't had a major version bump in shared
libraries for over a decade (although some developers whine and
complain about how I reject function signature changes in the
libext2fs library to provide that ABI stability).  But how many
userspace packages can make that claim?

	  	       	    	 - Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ