[Fedora-packaging] Another clarification of the static library packaging guidelines

Richard W.M. Jones rjones at redhat.com
Tue Jul 6 09:09:54 UTC 2010 

On Thu, Jul 01, 2010 at 02:26:52AM +0900, Mamoru Tasaka wrote:
> Michael Schwendt wrote, at 07/01/2010 02:09 AM +9:00:
> > There are dozens of -devel packages, which contain static libs only,
> > but don't provide a virtual -static package.
> >
> > What about OCaml?
> > https://fedoraproject.org/wiki/Packaging:OCaml
> > is not mentioning static libraries at all.
> 
> I am not familiar with OCaml but the above guideline says that
> "OCaml does not support dynamic linking of binaries".

That statement is confusing and untrue - I didn't want to add it to
the original guidelines.

OCaml supports dynamic linking to C code and always has, and it is
always used, eg:

$ ldd /usr/bin/virt-top
  linux-vdso.so.1 =>  (0x00007fff891e8000)
  libvirt.so.0 => /usr/lib64/libvirt.so.0 (0x0000003fc8000000)
  libncursesw.so.5 => /lib64/libncursesw.so.5 (0x00000035f4c00000)
  libm.so.6 => /lib64/libm.so.6 (0x00000035f3000000)
[etc]

OCaml < 3.11 didn't support dynamic linking to *natively compiled*
OCaml libraries (only to ones compiled as bytecode).

Since OCaml 3.11, both native and bytecode dynamic linking are fully
supported.

However even with 3.11 we still don't commonly dynamically link to
native OCaml libraries.  Because it's a new feature, this requires a
very large upstream, toolchain and packaging effort, even assuming
that it's worth doing at all.  OCaml libraries don't suffer the sorts
of common security bugs which so frequently affect C libraries, and C
libraries have always been dynamically linked, plus there are a lot
fewer pure OCaml libraries around.

The effect of this is that for OCaml *programs* (not libraries) if
there was ever a security bug in a dependent pure OCaml library, we
would need to recompile both the library and the program.  Other
libraries wouldn't be affected, because those don't contain the code
of the dependency.

There has never been a security bug related to OCaml code in an OCaml
library, and only two security bugs related to OCaml packages at all:
one was to some C code in ocaml-camlimages [package now defunct] and
another was insecure /tmp handling in the coccinelle program.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top

More information about the packaging mailing list