> Which feels safer to you?<p>“Feels” being the operative word… alpine is statically linking all of the same libraries, you’re just not able to see them via LDD.
as an Alpine contributor: while in this case it's true (sshd linking to libsystemd in Ubuntu is a result of a patch applied by Debian), `ldd` is not a good indicator for this. it does not say whether these dependencies are not there or get vendored and statically linked instead.<p>in other packages, we've sometimes specifically put work into making the ldd output <i>longer</i>, because a dependency not being statically compiled into the binaries means that we can effectively ship updates to it. as of now, running ldd on our binary of chromium returns 141 lines of output, or 157 for electron. when CVE-2023-4863 happened, we just quickly shipped a fix to libwebp, and that was the fix for our chromium and electron packages as well. a typical electron app you download (outside alpine repos) ships its own copy of electron with all these dependencies inside. ldd on that binary will output just 2 lines. it doesn't mean that it doesn't use all these dependencies, it means a much longer dependency chain in which your Electron chat app's developer might not realize they're vulnerable for 3 days until someone tells them, or "beta test" the update for half a month (both real examples from real chat apps)
A good time for a reminder that you shouldn't `ldd` untrusted executables. It basically works by executing them with some special flags that the linker picks up which causes it to print the report. If the binary is nefarious it can hijack this and run whatever it wants.<p><a href="https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/ldd.bash.in;h=d6b640df666c5e2d064175c31afa41eb5e63aa3d;hb=a0698a5e92ceeed3409d28623b1d599da6bc887d#l116" rel="nofollow">https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/ldd.bas...</a>