undefined | Better HN

0 points_yy10y ago0 comments

Remember that critical Go security update?

Usual procedure - update the shared library, restart affected services. Go - recompile everything.

0 comments

jerf10y ago

Yeah, but... that's not really the "usual procedure" though. Nobody who knows what they are doing literally downloads openssl manually, compiles the new shared library, manually installs it, and manually restarts the affected services, on the grounds that if you do that you have just proved you don't know what you are doing. (Most charitably, you're doing a "Linux From Scratch" for educational purposes, but that's just about the only valid reason.) Once you have introduced package management and/or system management tools, it doesn't seem like a significantly different problem anymore, and likely to be utterly swamped by the other bigger problems that appear at scale.

_yyOP10y ago

No, you update the shared library using your distribution's package manager and then restart the affected services using one of the small scripts for that purpose.

What's the issue with that?

IshKebab10y ago

Yeah that's the usual refrain, but the only situation where you have shared libraries is on Linux with a package manager. In that case it is trivial to recompile all packages that depend on the insecure library anyway.

On Windows you have to package most shared libraries with your app anyway so you have to get a new version of it anyway.

_yyOP10y ago

Sure but that's one of the reasons I use Linux.

falcolas10y ago

> update the shared library, restart affected services

... look for programs to break at runtime because of some unrelated API change in the shared library.

_yyOP10y ago

That's why Debian Stable and RHEL exist. Security patches don't break the API.

marssaxman10y ago

I am willing to believe that they come closer to the ideal than others, but nobody is perfect, and I'd rather discover incompatibilities myself, when I'm getting a new version of my app ready, before shipping, instead of trying to understand why random users are incoherently reporting impossible app failures.

falcolas10y ago

> Security patches don't break the API.

shouldn't

When the patched library is not part of Debian Stable or RHEL's repositories (for example, if you require features from a release less than a year old) all bets of API stability are off.

OpenSSL and libc are not the only libraries which are patched for security that people use.

1 more reply

zwischenzug10y ago

Which only needs to happen once.

_yyOP10y ago

Yes but still. If you have a procedure in place to recompile and redeploy everything, you could just deploy the libraries as well.

protomyth10y ago

Plus, the system admin doesn't just have to wait on the new security-patched library to be ready, they have to wait for everyone who used Go to recompile and distribute their programs.

jakub_h10y ago

So you're redeploying one binary instead of another binary. You still need to deploy something.

In fact, what about just switching connections to freshly launched VMs?

j / k navigate · click thread line to collapse

0 comments

jerf10y ago

_yyOP10y ago

No, you update the shared library using your distribution's package manager and then restart the affected services using one of the small scripts for that purpose.

What's the issue with that?

IshKebab10y ago

On Windows you have to package most shared libraries with your app anyway so you have to get a new version of it anyway.

_yyOP10y ago

Sure but that's one of the reasons I use Linux.

falcolas10y ago

> update the shared library, restart affected services

... look for programs to break at runtime because of some unrelated API change in the shared library.

_yyOP10y ago

That's why Debian Stable and RHEL exist. Security patches don't break the API.

marssaxman10y ago

falcolas10y ago

> Security patches don't break the API.

shouldn't

When the patched library is not part of Debian Stable or RHEL's repositories (for example, if you require features from a release less than a year old) all bets of API stability are off.

OpenSSL and libc are not the only libraries which are patched for security that people use.

1 more reply

zwischenzug10y ago

Which only needs to happen once.

_yyOP10y ago

Yes but still. If you have a procedure in place to recompile and redeploy everything, you could just deploy the libraries as well.

protomyth10y ago

Plus, the system admin doesn't just have to wait on the new security-patched library to be ready, they have to wait for everyone who used Go to recompile and distribute their programs.

jakub_h10y ago

So you're redeploying one binary instead of another binary. You still need to deploy something.

In fact, what about just switching connections to freshly launched VMs?

j / k navigate · click thread line to collapse