> Alpine is dynamically linked, we just do not link SSH against libsystemd. In general, I think systemd needs to split up the various components in libsystemd into separate libraries, as there is no reason sd_notify() would ever require liblzma.
> Anyone who is claiming that Alpine is secure because it's staticly linked have clearly never actually looked at a running Alpine system. I blame the initial Rust PR for musl support for starting this whole "musl = static linking" meme.
as an Alpine contributor: while in this case it's true (sshd linking to libsystemd in Ubuntu is a result of a patch applied by Debian), `ldd` is not a good indicator for this. it does not say whether these dependencies are not there or get vendored and statically linked instead.
in other packages, we've sometimes specifically put work into making the ldd output longer, because a dependency not being statically compiled into the binaries means that we can effectively ship updates to it. as of now, running ldd on our binary of chromium returns 141 lines of output, or 157 for electron. when CVE-2023-4863 happened, we just quickly shipped a fix to libwebp, and that was the fix for our chromium and electron packages as well. a typical electron app you download (outside alpine repos) ships its own copy of electron with all these dependencies inside. ldd on that binary will output just 2 lines. it doesn't mean that it doesn't use all these dependencies, it means a much longer dependency chain in which your Electron chat app's developer might not realize they're vulnerable for 3 days until someone tells them, or "beta test" the update for half a month (both real examples from real chat apps)
A good time for a reminder that you shouldn't `ldd` untrusted executables. It basically works by executing them with some special flags that the linker picks up which causes it to print the report. If the binary is nefarious it can hijack this and run whatever it wants.
[+] [-] olix0r|2 years ago|reply
“Feels” being the operative word… alpine is statically linking all of the same libraries, you’re just not able to see them via LDD.
[+] [-] juliusdavies|2 years ago|reply
Here's a copy/paste of her response from LinkedIn (https://www.linkedin.com/feed/update/urn:li:activity:7180667...)
> Alpine is dynamically linked, we just do not link SSH against libsystemd. In general, I think systemd needs to split up the various components in libsystemd into separate libraries, as there is no reason sd_notify() would ever require liblzma.
> Anyone who is claiming that Alpine is secure because it's staticly linked have clearly never actually looked at a running Alpine system. I blame the initial Rust PR for musl support for starting this whole "musl = static linking" meme.
[+] [-] selfisekai|2 years ago|reply
in other packages, we've sometimes specifically put work into making the ldd output longer, because a dependency not being statically compiled into the binaries means that we can effectively ship updates to it. as of now, running ldd on our binary of chromium returns 141 lines of output, or 157 for electron. when CVE-2023-4863 happened, we just quickly shipped a fix to libwebp, and that was the fix for our chromium and electron packages as well. a typical electron app you download (outside alpine repos) ships its own copy of electron with all these dependencies inside. ldd on that binary will output just 2 lines. it doesn't mean that it doesn't use all these dependencies, it means a much longer dependency chain in which your Electron chat app's developer might not realize they're vulnerable for 3 days until someone tells them, or "beta test" the update for half a month (both real examples from real chat apps)
[+] [-] kevincox|2 years ago|reply
https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/ldd.bas...
[+] [-] unknown|2 years ago|reply
[deleted]