Lector de Feeds

Initial notes on supporting vendored dependencies

New page

A '''vendored dependency''' is an aggregation of code (such as a package, module or library) that is included as part a larger aggregation (usually an application) but which is also available separately standalone (such as a dynamic library). A typical example is an application (e.g. Mariadb) that distributes the source for a separate library within its source tree (e.g. readline). This can be done for a number of reasons, such as licensing issues that prevent using of the module separately, custom code changes made for the application's use that are not/can not be upstreamed, and ease of compilation for the developer.

There are many downsides to this approach. Probably the biggest one is that when a standalone dynamic library is updated to fix a security bug, the vendored versions included in other applications are not automatically updated. These applications must be updated separately, and the upstream developer may not immediately (or even ever) include the security fixes in the vendored copy, leaving the application vulnerable to security issues.

For these reasons, vendored libraries are discouraged in Mageia ''(TBD: point to the policy)''

A closely related issue is using '''dependencies that are downloaded''' at compile time. This are common in languages such as Go, Rust and Javascript (npm) and it ends up with similar problems to vendoring. The result is even worse problems because it can not only be difficult to determine which dependencies have been used, but downright impossible to determine the version numbers actually used at compile time. Without dependency names and version numbers, it becomes impossible to tell when a package is affected by a security issue in a dependency. When a security issue is reported, it can result in the need to recompile many application packages instead of a single one. It is also difficult to ensure that the licenses of all downloaded packages match those allowed by the distribution. And when packages have licenses like the GPL that require source code be supplied with the binary, it becomes mandatory to make a copy of the downloaded source available to users.

For these reasons, files downloaded at compile time are disallowed in Mageia ''(TBD: point to the policy)''

'''Static linking''' is another practice that effectively results in the same problems as the above. Some languages (e.g. Go, Rust) statically link their dependencies so security issues in those dependencies means rebuilding them all against the fixed packages.

For these reasons, static linking is discouraged in Mageia ''(TBD: point to the policy)''

These are really three separate topics but since the effects of all three are very similar, they are discussed here as a block.

== Problems with disallowing vendoring ==

When vendored (bundled) and downloaded packages are disallowed, they must instead be packaged separately. This means extra work for packagers since adding a single new complicated application can require individually packaging dozens or even hundreds of new separate dependency packages. This takes extra time, disk space and the especially rare commodity, packager time. It is simply not scalable and effectively means that new applications written in some of the languages particularly prone to this way of working just aren't available to Mageia users.

== The landscape ==

Two languages becoming more popular these days, Go and Rust, particularly suffer from the issues described and supporting applications using them in Mageia is difficult due to policies designed for the C and C++ applications that were the most popular ones in the past. If we want to support programs in these languages, we need to ease the burden on packagers.

The main reasons for anti-vendoring (and related) policies are:

# to easily identify which packages need to be updated to fix security issues
# to ensure that a known security issue does not unknowingly go unfixed in the distribution
# to reduce the work in updating those packages when necessary
# to reduce time, bandwidth and disk space for users
# to ensure source code is always available to users to fulfill licensing obligations

If we can find a way to satisfy those requirements to a reasonable degree while still allowing vendoring and downloading of modules at compile time, we can ease the burden on our packagers and infrastructure.

== A way forward ==

=== Go ===

The following proposal satisfies the reasons for the anti-vendoring policies above, while allowing applications to be packaged without individually packaging each dependency. The specifics listed in this section are for handling Go applications, but it can be generalized for other languages in the future.

TBD

=== C/C++ ===

Since these languages support dynamic linking and the developer culture does not generally encourage a huge number of small dependencies, no proposal is currently being made to ease the vendoring restrictions in C or C++ applications.

=== Others ===

The proposals for Go should be able to be generalized to work for applications in other compiled languages as well. It is possible to develop infrastructure to support interpreted languages as well, but the benefits may not be as clear.

The languages with the most number of modules in Mageia as of this writing (in approximate decreasing order) are:

# Rust
# Perl
# Python
# Java
# Go
# Ruby
# OCaml
# Nodejs (Javascript)
# PHP
# Erlang

== See Also ==

* [[Packages carrying bundled copies of system libraries]]
* [[Security Updates]]

[[Category:Packaging]] Danf

‎Cancel the build: Run as schedbot

← Older revision Revision as of 06:58, 24 January 2025 Line 11: Line 11:  Find the build at https://pkgsubmit.mageia.org/ and look under ''Status'' for the build's ID (it will look like YYYYMMDDHHMMSS.USER.HOST.ID). Log in to duvel and run: Find the build at https://pkgsubmit.mageia.org/ and look under ''Status'' for the build's ID (it will look like YYYYMMDDHHMMSS.USER.HOST.ID). Log in to duvel and run:    −   cancel_build 20231231211004.pterjan.duvel.1487312+   sudo -u schedbot cancel_build 20231231211004.pterjan.duvel.1487312     providing the build ID you just found. providing the build ID you just found. Danf

Publication date: 23 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-45336 , CVE-2024-45341 Description net/http: sensitive headers incorrectly sent after cross-domain redirect, (CVE-2024-45336). crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints, (CVE-2024-45341). References

• https://bugs.mageia.org/show_bug.cgi?id=33940
• https://www.openwall.com/lists/oss-security/2025/01/17/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45336
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45341

SRPMS 9/core

• golang-1.22.11-1.mga9

‎Chromium browser: Update

← Older revision Revision as of 20:53, 22 January 2025 Line 271: Line 271:  === Chromium browser === === Chromium browser ===    −We seem not to have packagers for keeping Chromium browser updated, {{Bug|33609}}. Workarounds: As [[Flatpak|Flatpak]] install app/org.chromium.Chromium/x86_64/stable, or Chrome. Or Chrome rpm from Google.+We seem not to have packagers for keeping Chromium browser updated, {{Bug|33609}}. Workarounds: As [[Flatpak|Flatpak]] install app/org.chromium.Chromium/x86_64/stable, or Chrome. Or Chrome rpm from Google. Update January 2025: currently it is updated. −       === Firefox ESR === === Firefox ESR === Morgano

Publication date: 22 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7025 , CVE-2024-9369 , CVE-2024-9370 , CVE-2024-9602 , CVE-2024-9603 , CVE-2024-9954 , CVE-2024-9955 , CVE-2024-9956 , CVE-2024-9957 , CVE-2024-9958 , CVE-2024-9959 , CVE-2024-9960 , CVE-2024-9961 , CVE-2024-9962 , CVE-2024-9963 , CVE-2024-9964 , CVE-2024-9965 , CVE-2024-9966 Description Lot of CVEs were fixed by upstream since our current version; please see the links. References

• https://bugs.mageia.org/show_bug.cgi?id=33609
• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html
• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html
• https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html
• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7025
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9369
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9370
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9602
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9603
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9954
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9955
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9956
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9957
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9958
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9959
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9960
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9961
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9962
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9963
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9964
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9965
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9966

SRPMS 9/tainted

• chromium-browser-stable-132.0.6834.84-1.mga9.tainted

‎Internet apps: Suggesting alternatives for our (to be) dropped chromium-browser.

← Older revision Revision as of 16:41, 22 January 2025 Line 344: Line 344:     === Internet apps === === Internet apps === −* Chromium-browser have been dropped due to too much maintenance work. <!--#33609-->+* Chromium-browser have been dropped due to too much maintenance work. <!--#33609--> If you need it, install it as [[Flatpak]]; install app/org.chromium.Chromium/x86_64/stable, or Chrome Flatpak. Or use the Chrome RPM from Google.  * Firefox has been updated to ** * Firefox has been updated to **  * We added browsers for Gemini protocol: Lagrange (SDL), Kristall (Qt), Offpunk (CLI). * We added browsers for Gemini protocol: Lagrange (SDL), Kristall (Qt), Offpunk (CLI). Morgano

Publication date: 22 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-12084 , CVE-2024-12085 , CVE-2024-12086 , CVE-2024-12087 , CVE-2024-12088 , CVE-2024-12747 Description Heap buffer overflow in rsync due to improper checksum length handling. (CVE-2024-12084) Info leak via uninitialized stack contents. (CVE-2024-12085) Rsync server leaks arbitrary client files. (CVE-2024-12086) Path traversal vulnerability in rsync. (CVE-2024-12087) Rsync --safe-links option bypass leads to path traversal. (CVE-2024-12088) Race condition in rsync handling symbolic links. (CVE-2024-12747) References

• https://bugs.mageia.org/show_bug.cgi?id=33920
• https://www.openwall.com/lists/oss-security/2025/01/14/3
• https://lists.debian.org/debian-security-announce/2025/msg00004.html
• https://ubuntu.com/security/notices/USN-7206-1
• https://ubuntu.com/security/notices/USN-7206-2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12084
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12085
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12086
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12087
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12088
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12747

SRPMS 9/core

• rsync-3.2.7-1.2.mga9

Add pt-BR

← Older revision Revision as of 23:37, 20 January 2025 Line 2: Line 2:  [[Category:Mageia 10]] [[Category:Mageia 10]]    −{{Multi language banner-fr|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Développement-fr|Français]]}}+{{Multi language banner-fr|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Développement-fr|Français]] ; [[Desenvolvimento do Mageia 10-pt-BR|português brasileiro]] ;}}     == État actuel == == État actuel == Xgrind

Add pt-BR

← Older revision Revision as of 23:34, 20 January 2025 Line 2: Line 2:  [[Category:Mageia 10]] [[Category:Mageia 10]]    −{{multi language banner|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Desarrollo|Español]] ; [[Mageia_10_Développement-fr|Français]]}}+{{multi language banner|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Desarrollo|Español]] ; [[Mageia_10_Développement-fr|Français]] ; [[Desenvolvimento do Mageia 10-pt-BR|português brasileiro]] ;}}  Esta es la página para el desarrollo de Mageia 10. Esta es la página para el desarrollo de Mageia 10.    Xgrind

Add pt-BR

← Older revision Revision as of 23:34, 20 January 2025 Line 2: Line 2:  [[Category:Mageia 10]] [[Category:Mageia 10]]    −{{multi language banner|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Desarrollo|Español]] ; [[Mageia_10_Développement-fr|Français]] ; [[Desenvolvimento do Mageia 10 - pt-BR|Português (Brasil)]]}}+{{multi language banner|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Desarrollo|Español]] ; [[Mageia_10_Développement-fr|Français]] ; [[Desenvolvimento do Mageia 10-pt-BR|português brasileiro]] ;}}  This is the page for Mageia 10 development. This is the page for Mageia 10 development.    Xgrind

Add pt-BR

← Older revision Revision as of 23:34, 20 January 2025 Line 1: Line 1: −{{multi language banner-de|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Développement-fr|Français]]}}+{{multi language banner-de|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Développement-fr|Français]] ; [[Desenvolvimento do Mageia 10-pt-BR|português brasileiro]] ;}}       Xgrind

Criando a página Desenvolvimento do Mageia 10-pt-BR

New page

[[Category:Mageia_development]]
[[Category:Mageia 10]]

{{multi language banner-pt-BR|[[Mageia 10 Entwicklung-de|Deutsch]] ; [[Mageia_10_Development|English]] ; [[Mageia_10_Desarrollo|Español]] ; [[Mageia_10_Développement-fr|Français]] ; [[Desenvolvimento do Mageia 10-pt-BR|português brasileiro]]}}

Esta é a página para desenvolvimento do Mageia 10.

== Situação atual ==

As datas estimadas de lançamento listadas a seguir são '''apenas indicativas''', e podem mudar dependendo do progresso da correção de bugs que bloqueiam o lançamento.

{{Note-pt-BR|"Lançaremos quando estiver pronto"!}}

== Cronograma de desenvolvimento ==
Use datas seguindo o formato https://pt.wikipedia.org/wiki/ISO_8601 para evitar conflitos entre EUA e Grã-Bretanha :p

{| style="color:black; cellpadding="5%" cellpadding="5%" cellspacing="0" border="1"
! Estágio
! Data estimada
! Público
! Lançado em
|-
| '''Alfa 1'''
| A definir
| desenvolvedores, empacotadores
|
|-
| Congelamento das versões
| A definir
| desenvolvedores, empacotadores
|
|-
| '''Beta 1'''
| A definir
| desenvolvedores, empacotadores
|
|-
| '''Beta 2'''
| A definir
| desenvolvedores, empacotadores
|
|-
| Congelamento de lançamento
| A definir
| QA, empacotadores, construtores de ISO
|
|-
| '''Release Candidate 1'''
| Beta 2 + 2 semanas
| QA, empacotadores, construtores de ISO
|
|-
| '''[[Notas de lançamento do Mageia 9-pt-BR|Lançamento final]]'''
| Release Candidate 1 + 4 semanas
| qualquer um
|
|}

== Especificações técnicas ==

Veja as [[FeatureMageia10_Review|especificações do Mageia 10]] Xgrind

Publication date: 20 Jan 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-57823 Description In the Raptor RDF Syntax Library there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path(). References

• https://bugs.mageia.org/show_bug.cgi?id=33929
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/7S7ZVXAGSBLZGFFVSEHSDXQND2DNAKY2/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57823

SRPMS 9/core

• raptor2-2.0.15-23.1.mga9