oss-security - Re: Haskell programs in distributions (was: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx))

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Sun, 1 Oct 2023 13:03:46 +0200
From: Erik Auerswald <auerswal@...x-ag.uni-kl.de>
To: oss-security@...ts.openwall.com
Subject: Re: Haskell programs in distributions (was: Rust
 programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8
 encoding in libvpx))

Hi,

On Sat, Sep 30, 2023 at 07:28:46PM -0400, Michael Orlitzky wrote:
> On Sat, 2023-09-30 at 13:00 -0400, Demi Marie Obenour wrote:
> > It is also worth noting that Rust-the-language supports dynamic linking.
> > Once Cargo supports this and downstreams (like Fedora) obtain sufficient
> > build capacity, it will be possible to use dynamic linking by performing
> > automatic cascading rebuilds whenever a package is upgraded.  Arch
> > already does this for Haskell IIUC.
> 
> We do it for Haskell in Gentoo, too, but we have a dark secret: it only
> works because Haskell became unpopular. There are basically only two
> Haskell programs, and everything works for n = 2.

I am curious, what two prgrams do you think of?

I know of two Haskell programs I regularly use, Pandoc and ShellCheck.

Best regards,
Erik
-- 
[T]he most dangerous enemy of a better solution is an existing codebase
that is just good enough.
                        -- Eric S. Raymond

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.