Traditionally a lot of shared libraries are in the OS and quite good at not breaking things, you can run windows update or apt-get upgrade and apps shouldn't break. So tradtitionally, the shared library isn't updated anyway until the app is fixed and deployed for the new version of the shared lib. > traditional shared libraries never have good enough interfaces to not break stuff. In practice, both shared dependencies and static dependencies have tradeoffs, but security is not one of them.īoth can be and should be easy to make secure in the sense of "make sure it contains the fix".īoth may require app redeployment in practice, and expecting them not to is not a good strategy right now (for most programming languages) The same works for shared dependencies, of course. Modify to have whatever grace period you want. You say that any binary in prod must be something past that CL (which can be verified using the build stamping). In any sane bundled system, this increments that number. Someone commits the CL that fixes the dependency. So tradtitionally, the shared library isn't updated anyway until the app is fixed and deployed for the new version of the shared lib.īundled dependencies are easy to handle from a security perspective.īuild stamping tells you what CLs are contained (or just go by monotonically incrementing number if it's bundled deps). Traditional shared libraries never have good enough interfaces to not break stuff.
#PROTOBUFF WINDOWS CMAKE FULL#
One caveat - as released it won't quite be bitwise hermetic, as it depends on an external Xilinx toolchain, and Xilinx does non-hermetic things to their bits that are awkward to work around (you can, but my code to do that is a much less mature shell script full of dd and cat commands to rip apart bitstreams and glue them back together - I've since found open source tooling for accomplishing the same task, but haven't adopted it yet).ĭrop me an email (addr in profile) and I'll tell you when it's up. I don't anticipate any blocking issues, though, as the bazel bits don't expose anything about Google. It usually takes a week or two, but no promises. Since it seems there's interest I'll take a stab at that on Monday. It is by FAR easier/faster for me to release under Google's copyright, but there's a bit of "paperwork" I need to go through to get it staged and approved for the Google GitHub. It's a little complicated as I did it for a personal project, but I'm also pulling it into Google for my 20% project.
0 kommentar(er)
