Re: Reducing the attack surface caused by Berkeley DB...

Time to reply to myself again :) I went silent in this thread since the end of January because I spent time fuzzing 8 libraries + CLI front-ends of the DBM family, starting with LMDB: > > liblmdb* or libleveldb* are much less popular in popcon by_inst than > > libdb, yeah... > > > > > > Do we

Re: Reducing the attack surface caused by Berkeley DB...

Hi Adrian, On 1/27/18 1:35 PM, Adrian Bunk wrote: > On Sat, Jan 27, 2018 at 12:25:20PM +0100, Lionel Debroux wrote: > > Hi Adrian, > > Hi Lionel, > > > On 1/27/18 6:27 AM, Adrian Bunk wrote: > > ... > > > There doesn't seem to be any disagreement on the general idea, > > > the only thing missing

Re: Reducing the attack surface caused by Berkeley DB...

Hi David, On 1/27/18 1:12 PM, David Kalnischkies wrote: > On Fri, Jan 26, 2018 at 11:49:41PM +0100, Lionel Debroux wrote: > > > Anyway, the only util in apt-utils making use of libdb is > > > apt-ftparchive which a) isn't used much in Debian – but by some > > > derivatives¹ and b) can operate

Re: Reducing the attack surface caused by Berkeley DB...

Replying to myself... On 1/26/18 11:48 PM, Lionel Debroux wrote: > Hi Scott, > > On 1/26/18 7:05 AM, Scott Kitterman wrote: > > On Thursday, January 25, 2018 11:59:06 PM Lionel Debroux wrote: > > > > > > [...] > > > --- > > > Do you think we should start the journey of getting rid of > > >

Re: Reducing the attack surface caused by Berkeley DB...

2018-01-27 13:53 GMT+01:00 David Kalnischkies : > On Fri, Jan 26, 2018 at 12:24:26PM +0100, Miriam Ruiz wrote: >> 2018-01-26 12:02 GMT+01:00 Colin Watson : >> >> Finding someone performing the daunting task of actually switching code, >> >> documentation

Re: Reducing the attack surface caused by Berkeley DB...

On Sat, Jan 27, 2018 at 01:53:54PM +0100, David Kalnischkies wrote: >... > I guess you can kill both birds with one stone if you go for a "write > libdb-api-compatibility layer for your favorite other db", but that > wouldn't really be a Debian task anymore. Without even thinking a split- > second

Re: Reducing the attack surface caused by Berkeley DB...

On Sat, Jan 27, 2018 at 12:22:59PM +0100, Lionel Debroux wrote: >... > On 1/27/18 1:42 AM, Guillem Jover wrote: > > On Thu, 2018-01-25 at 23:59:06 +0100, Lionel Debroux wrote: > > > Several days ago, jmm from the security team suggested that I start > > > a discussion on debian-devel about

Re: Reducing the attack surface caused by Berkeley DB...

On Fri, Jan 26, 2018 at 12:24:26PM +0100, Miriam Ruiz wrote: > 2018-01-26 12:02 GMT+01:00 Colin Watson : > >> Finding someone performing the daunting task of actually switching code, > >> documentation and existing databases over on the other hand… I at least > >> don't see me

Re: Reducing the attack surface caused by Berkeley DB...

On Sat, Jan 27, 2018 at 12:25:20PM +0100, Lionel Debroux wrote: > Hi Adrian, Hi Lionel, > On 1/27/18 6:27 AM, Adrian Bunk wrote: >... > > There doesn't seem to be any disagreement on the general idea, > > the only thing missing is a person doing the work on getting > > all Debian packages ported

Re: Reducing the attack surface caused by Berkeley DB...

On Fri, Jan 26, 2018 at 11:49:41PM +0100, Lionel Debroux wrote: > > Anyway, the only util in apt-utils making use of libdb is > > apt-ftparchive which a) isn't used much in Debian – but by some > > derivatives¹ and b) can operate without the backing of a db, but you > > don't want to run a large

Re: Reducing the attack surface caused by Berkeley DB...

Hi Adrian, On 1/27/18 6:27 AM, Adrian Bunk wrote: > On Fri, Jan 26, 2018 at 11:49:41PM +0100, Lionel Debroux wrote: > > ... > > On 1/26/18 11:39 AM, David Kalnischkies wrote: > > ... > > > Finding someone performing the daunting task of actually switching > > > code, documentation and existing

Re: Reducing the attack surface caused by Berkeley DB...

Hi Guillem, On 1/27/18 1:42 AM, Guillem Jover wrote: > On Thu, 2018-01-25 at 23:59:06 +0100, Lionel Debroux wrote: > > Several days ago, jmm from the security team suggested that I start > > a discussion on debian-devel about Berkeley DB, which has known > > security issues, because doing so may

Re: Reducing the attack surface caused by Berkeley DB...

On Fri, Jan 26, 2018 at 11:49:41PM +0100, Lionel Debroux wrote: >... > On 1/26/18 11:39 AM, David Kalnischkies wrote: >... > > Finding someone performing the daunting task of actually switching > > code, documentation and existing databases over on the other hand… I > > at least don't see me

Re: Reducing the attack surface caused by Berkeley DB...

Hi! On Thu, 2018-01-25 at 23:59:06 +0100, Lionel Debroux wrote: > Several days ago, jmm from the security team suggested that I start a > discussion on debian-devel about Berkeley DB, which has known security > issues, because doing so may enable finding a consensus on how to move > away from it

Re: Reducing the attack surface caused by Berkeley DB...

Hi, On 1/26/18 11:39 AM, David Kalnischkies wrote: > On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote: > > In practice, Berkeley DB is a core component of most *nix distros. > > Debian popcon indicates that libdb5.3 is installed on ~80% of the > > computers which report to popcon. >

Re: Reducing the attack surface caused by Berkeley DB...

Hi Scott, On 1/26/18 7:05 AM, Scott Kitterman wrote: > On Thursday, January 25, 2018 11:59:06 PM Lionel Debroux wrote: > > > > [...] > > --- > > Do you think we should start the journey of getting rid of libdb5.3 > > at a wide scale ? And if so, how to optimize resource usage in > > general ? :)

Re: Reducing the attack surface caused by Berkeley DB...

Hi Timo, On 1/26/18 12:21 PM, Timo Aaltonen wrote: > On 26.01.2018 00:59, Lionel Debroux wrote: > > --- > > Do you think we should start the journey of getting rid of libdb5.3 > > at a wide scale ? And if so, how to optimize resource usage in > > general ? :) > > --- > > I asked 389-ds-base

Re: Reducing the attack surface caused by Berkeley DB...

Hi Marco, On 1/26/18 1:46 AM, Marco d'Itri wrote: > On Jan 25, Lionel Debroux wrote: > > Several days ago, jmm from the security team suggested that I start > > a discussion on debian-devel about Berkeley DB, which has known > > security issues, because doing so may

Re: Reducing the attack surface caused by Berkeley DB...

Hi Ryan, On 1/26/18 1:02 AM, Ryan Tandy wrote: > On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote: > > the vast majority of the ~170 reverse dependencies of libdb5.3 > > listed by `apt-cache rdepends libdb5.3` on sid will require (much) > > more work to get rid of that dependency,

Re: Reducing the attack surface caused by Berkeley DB...

On 26.01.2018 00:59, Lionel Debroux wrote: > --- > Do you think we should start the journey of getting rid of libdb5.3 at a > wide scale ? And if so, how to optimize resource usage in general ? :) > --- I asked 389-ds-base upstream about their plans, and got this draft plan of getting rid of bdb

Re: Reducing the attack surface caused by Berkeley DB...

2018-01-26 12:02 GMT+01:00 Colin Watson : >> Finding someone performing the daunting task of actually switching code, >> documentation and existing databases over on the other hand… I at least >> don't see me enthusiastically raising my arm crying "let me, let me, …". > > I

Re: Reducing the attack surface caused by Berkeley DB...

On Fri, Jan 26, 2018 at 11:39:29AM +0100, David Kalnischkies wrote: > On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote: > > In practice, Berkeley DB is a core component of most *nix distros. > > Debian popcon indicates that libdb5.3 is installed on ~80% of the > > computers which

Re: Reducing the attack surface caused by Berkeley DB...

On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote: > In practice, Berkeley DB is a core component of most *nix distros. > Debian popcon indicates that libdb5.3 is installed on ~80% of the > computers which report to popcon. I wonder how many of this ~80% is only due to having

Re: Reducing the attack surface caused by Berkeley DB...

On Thursday, January 25, 2018 11:59:06 PM Lionel Debroux wrote: > Hi, > > Several days ago, jmm from the security team suggested that I start a > discussion on debian-devel about Berkeley DB, which has known security > issues, because doing so may enable finding a consensus on how to move > away

Re: Reducing the attack surface caused by Berkeley DB...

On Jan 25, Lionel Debroux wrote: > Several days ago, jmm from the security team suggested that I start a > discussion on debian-devel about Berkeley DB, which has known security > issues, because doing so may enable finding a consensus on how to move Can you clarify the

Re: Reducing the attack surface caused by Berkeley DB...

On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote: the vast majority of the ~170 reverse dependencies of libdb5.3 listed by `apt-cache rdepends libdb5.3` on sid will require (much) more work to get rid of that dependency, with impact on backwards compatibility... Among those

Reducing the attack surface caused by Berkeley DB...

Hi, Several days ago, jmm from the security team suggested that I start a discussion on debian-devel about Berkeley DB, which has known security issues, because doing so may enable finding a consensus on how to move away from it in Debian (which is hard). So here's a post :) Please keep me