[HarfBuzz] Loading Graphite dynamically
Martin Hosken
mhosken at gmail.com
Fri May 22 00:33:28 PDT 2015
Dear Behdad,
> 1. Can distro people please chime in with their preferences?
Debian, Ubuntu and Fedora and derivatives (AFAIK) make their harfbuzz packages dependent on the libgraphite package. Thus they all enable Graphite at the system level. libgraphite is too small not to ship. The only people who get concerned about this are those who statically link harfbuzz into a framework: qt, gecko, chromium, gtk?. Where such frameworks dynamically link to a system harfbuzz, there is less of an issue.
From what you say, chromium won't dlopen a library, although I got it to work just fine in that mode in an android app (content shell). So perhaps this a difference between the app and the view?
> 2. What are the security implications of this?
The same for any dlopen. Notice that only the system library load path is used, so if someone nafarious can write to that area, they may be able to use that as a vector, but that would be just as true for any other dependent library, whether loaded at startup, during preload. I realise this is a bit of an off the cuff answer, and I would love to hear from a security expert on this.
Yours,
Martin
More information about the HarfBuzz
mailing list