Remove dependency on libjansson

[Orlando Arias]

Greetings,

On 4/2/24 5:40 AM, Rui Ueyama wrote:
> We have discussed various topics already, and I don't think there's a
> single answer because this is all about engineering tradeoffs.
> 
> I'd like to hear from other devs who are following this thread if there are any.

I am not a developer but I am a security researcher. The dependency as 
it is should be left in for a simple reason: you should always sanitize 
your inputs [1]. If the LLVM stack ignores this precept then they are 
doing it wrong. Why? Because of a little something we call in security a 
weird machine [2]. Parsers are complex beasts and can be made very easy 
to misbehave given errors in the grammar handler.

Your proposal of removing the dependecy to libjansson would require 
binutils to implement a brand new JSON parser to sanitize inputs, which, 
as previously mentioned is something you should be doing. This now 
introduces extra burden on the maintainers as well as the possibility of 
introducing parsing bugs in binutils. Binutils is now worse off and 
possibly vulnerable.

As previously mentioned, you want your tooling to catch errors earlier. 
Binutils is something that is not normally run as a superuser. However, 
the tools that end up processing the JSON metadata, such as the core 
dump handler in systemd can be running at high privileges. Do you want 
to risk it and move the weird machine behavior to that target?

Cheers.

[1] https://xkcd.com/327/
[2] https://en.wikipedia.org/wiki/Weird_machine