[Proposal] Ring-based Packaging Policies

Michael Schwendt mschwendt at gmail.com
Fri Feb 13 13:35:52 UTC 2015


On Fri, 13 Feb 2015 13:54:59 +0100, Ralf Corsepius wrote:

> Meanwhile, we've had much more critical vulnerablities in widely used 
> libs (Remember heartbleed), which all have been quite easy to fix 
> packaging-wise. IMO, to a great portion, thanks to having mostly banned 
> static linkage and bundling.

There's more to it, too.

Static linking is not only a risk with regard to security vulnerabilites.

You cannot retest against an updated static lib without relinking the
dependencies. You don't learn about new runtime breakage (or regressions)
caused by the changed static lib, because the programs still use an old
lib linked into them. The changed lib may have been out for many weeks as
an update, but nothing test-drives it. What a surprise, if the lib were
found to cause a sudden problem for a minor rebuild of a program. Or
worse, if the rebuild were released quickly because of expecting it to
be harmless, but the static lib under the hood has changed and breaks
runtime for users.


More information about the devel mailing list