Remove dependency on libjansson

[Michael Matz]

Hello,

On Tue, 2 Apr 2024, Orlando Arias wrote:

> Greetings,
> 
> On 4/2/24 5:40 AM, Rui Ueyama wrote:
> > We have discussed various topics already, and I don't think there's a
> > single answer because this is all about engineering tradeoffs.
> > 
> > I'd like to hear from other devs who are following this thread if there are
> > any.
> 
> I am not a developer but I am a security researcher. The dependency as 
> it is should be left in for a simple reason: you should always sanitize 
> your inputs [1].

Indeed.  But note that you're saying something else than what you wanted 
to say :)  For ld the input here is "blob of bytes".  That it's actually 
JSON (or claims to be!) is a matter for the processor of these .note 
sections.  _Those_ need to check the contents of them for being proper 
JSON themself.  They cannot rely on ld having produced "correct" .note 
sections anyway.  They could have been produced by bad tools, or 
retroactively be mangled.

So, as such checking in the consumer tools for the .notes cannot be 
avoided the early checking at producer time is a bit wasteful, and from a 
security perspective achieves exactly nothing.

(FWIW, for openSUSE I've disabled this all (or rather, didn't enable it) 
as I don't want libjansson in the bootstrap pkgbuild cycle just for this. 
Supply chain attacks or similar weren't my reason back then, and aren't 
now :) )


Ciao,
Michael.