[Fedora-packaging] Package-internal static linkage
Toshio Kuratomi
a.badger at gmail.com
Sat May 2 15:25:23 UTC 2009
Ville Skyttä wrote:
> It's easy enough to change this and link the executables dynamically, and I
> haven't bothered to get any numbers to check the upstream claim. But I
> suppose the primary security reason against static linkage doesn't really
> apply that much when the executable and the lib are results from the same
> package build, so I thought I'd ask if there are strong opinions on whether
> this would be a valid exception to the no static linkage guideline or not
> (none here).
I tend to agree that the primary reason for this is security and that
claim is not as strong in this case. I have two thoughts to toss out:
* Linking the utilities dynamically tests that dynamic linking works.
mono w/ libmono on ppc caught this problem (although we're currently
shipping that statically linked because F11 is too close and nothing
else in-distro currently embeds the mono runtime :-(
* If we allow this, reviewers and packagers will have to be careful
about deciding whether the package really is the canonical place for the
library. For instance, rsync builds against a private, slightly
modified version of zlib. zsync does the same thing. These should not
be allowed exceptions as the security concerns still apply.
Ralf's point about saving disk space is also a negative.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/packaging/attachments/20090502/0654c893/attachment.bin
More information about the packaging
mailing list