Tracking staticly linked dependencies with metadata
In part due to the concerns of mitigating security vulnerabilities in staticly-linked dependencies, #30 (closed) was opened. However, an examination of the issue shows that the underlying concern involves the distribution at large.
For example, besides static linking against libraries Alpine provides, some packages vendor their own copies of packages, which need to be tracked and patched for CVEs. At present, Alpine lacks the ability to handle this patching lifecycle except to keep track of these situations by hand and hope that everything gets patched.
Accordingly, it is proposed to use the provider-metadata system to record which packages are either staticly linked against other packages in Alpine, or against vendored code.
We propose two namespaces:
-
bundled:$packagename
- this will be declared for packages which use static linking, allowing for tooling to do rebuilds as needed -
vendored:$packagename
- this will be declared for packages which use vendored code, allowing for the security team to track CVEs in the vendored code inside those packages
Vendored code should still ideally be avoided in Alpine packages, of course, but is sometimes necessary due to downstream modification of the vendored code (for example in Chromium).
It is intended that this proposal supercede #30 (closed).