After a couple of discussions at the DX hackfest about cross-platform-ness and deployment of GLib, I started wondering: we often talk about how GNOME developers work at all levels of the stack, but how much of that actually qualifies as ‘core’ work which is used in web servers, in cross-platform desktop software ((As much as 2014 is the year of Linux on the desktop, Windows and Mac still have a much larger market share.)), or commonly in embedded systems, and which is security critical?
On desktop systems (taking my Fedora 19 installation as representative), we can compare GLib usage to other packages, taking GLib as the lowest layer of the GNOME stack:
|Package||Reverse dependencies||Recursive reverse dependencies|
(Found with repoquery --whatrequires [--recursive] [package name] | wc -l. Some values omitted because they took too long to query, so can be assumed to be close to the entire universe of packages.)
Obviously GLib is depended on by many more packages here than OpenSSL, which is definitely a core piece of software. However, those packages may not be widely used or good attack targets. Higher layers of the GNOME stack see widespread use too:
(Found with repoquery --whatrequires [package name] | wc -l.)
Widely-used cross-platform software which interfaces with servers ((And hence is security critical.)) includes PuTTY and Wireshark, both of which use GTK+ (()). However, other major cross-platform FOSS projects such as Firefox and LibreOffice, which are arguably more ‘core’, only use GNOME libraries on Linux.
How about on embedded systems? It’s hard to produce exact numbers here, since as far as I know there’s no recent survey of open source software use on embedded products. However, some examples:
- Qt pulls in GLib as an optional dependency (automatically enabled if compiled for X11, QWS or QPA) for its main loop, and is used widely in embedded systems.
- EFL optionally uses GStreamer, GLib, Avahi and IBus.
- WebOS (for smart TVs) uses GStreamer, BlueZ and ConnMan, all of which use GLib.
- GStreamer itself is a GNOME technology and has become fairly well established as an embedded multimedia platform.
- The neard NFC stack uses GLib and D-Bus.
- In GENIVI, GStreamer and BlueZ are used as well.
So there are some sample points which suggest moderately widespread usage of GNOME technologies in open-source-oriented embedded systems. For more proprietary embedded systems it’s hard to tell. If they use Qt for their UI, they may well use GLib’s main loop implementation. I tried sampling GPL firmware releases from gpl-devices.org and gpl.nas-central.org, but both are quite out of date. There seem to be a few releases there which use GLib, and a lot which don’t (though in many cases they’re just kernel releases).
Servers are probably the largest attack surface for core infrastructure. How do GNOME technologies fare there? On my CentOS server:
- GLib is used by the popular web server lighttpd (via gamin),
- the widespread logging daemon syslog-ng,
- all MySQL load balancing via mysql-proxy, and
- also by QEMU.
- VMware ESXi seems to use GLib (both versions 2.22 and 2.24!), as determined from looking at its licencing file. This is quite significant — ESXi is used much more widely than QEMU/KVM.
- The Amanda backup server uses GLib extensively,
- as do the clustering solutions Heartbeat and Pacemaker.
I can’t find much evidence of other GNOME libraries in use, though, since there isn’t much call for them in a non-graphical server environment. That said, there has been heavy development of server-grade features in the NetworkManager stack, .
So it looks like GLib, if not other GNOME technologies, is a plausible candidate for being core infrastructure. Why haven’t other GNOME libraries seen more widespread usage? Possibly they have, and it’s too hard to measure. Or perhaps they fulfill a niche which is too small. Most server technology was written before GNOME came along and its libraries matured, so any functionality which could be provided by them has already been implemented in other ways. Embedded systems seem to shun desktop libraries for being too big and slow. The cross-platform support in most GNOME libraries is poorly maintained or non-existent, limiting them to use on UNIX systems only, and not the large OS X or Windows markets. At the really low levels, though, there’s solid evidence that GNOME has produced core infrastructure in the form of GLib.