[Fedora-packaging] Package-internal static linkage

Toshio Kuratomi a.badger at gmail.com
Sat May 2 15:25:23 UTC 2009


Ville Skyttä wrote:

> It's easy enough to change this and link the executables dynamically, and I 
> haven't bothered to get any numbers to check the upstream claim.  But I 
> suppose the primary security reason against static linkage doesn't really 
> apply that much when the executable and the lib are results from the same 
> package build, so I thought I'd ask if there are strong opinions on whether 
> this would be a valid exception to the no static linkage guideline or not 
> (none here).

I tend to agree that the primary reason for this is security and that
claim is not as strong in this case.  I have two thoughts to toss out:

* Linking the utilities dynamically tests that dynamic linking works.
mono w/ libmono on ppc caught this problem (although we're currently
shipping that statically linked because F11 is too close and nothing
else in-distro currently embeds the mono runtime :-(

* If we allow this, reviewers and packagers will have to be careful
about deciding whether the package really is the canonical place for the
library.  For instance, rsync builds against a private, slightly
modified version of zlib.  zsync does the same thing.  These should not
be allowed exceptions as the security concerns still apply.

Ralf's point about saving disk space is also a negative.

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/packaging/attachments/20090502/0654c893/attachment.bin 


More information about the packaging mailing list