Oddbean new post about | logout
510a17ef | 1 years ago (raw) | export | reply | flag 
 The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.
Frehi | 1 years ago (raw) | root | parent | reply | flag 
 @c9b364e6 I agree completely. Unfortunately it seems like the Firefox package uses its own libwebp copy, because there was a separate Firefox security update
https://www.debian.org/security/2023/dsa-5496
and the package does not depend on libwepb7.
65d34d63 | 1 years ago (raw) | root | parent | reply | flag 
 @c9b364e6 

And the underlying reason for rejecting the distro model is that "You can't have the shiniest new thing, and not be part of the Cool Kids Club."