On 2013-09-27 15:13, Thomas Bächler wrote: > Am 27.09.2013 14:56, schrieb Chris Down: > > Well, static libraries are not a waste of space if it was intentional. > > Static linking should be preferred for a number of reasons[0], they > > should be preferred in any sane Linux distribution (of which, > > unfortunately I can't name any at the moment until stali comes out). > > > > 0: http://sta.li/faq > > Nothing about using static libraries is sane. That FAQ seems to be about > some bitterness about glibc and its code, which has nothing to do with > static and dynamic linking. Not really. The releated references to glibc are more about refuting the "size" argument when linking against it (as opposed to a more sane libc). > Now, to the key point: > > > Aren’t statically linked executables less secure? > > > > Several people argue (with implicitly requiring ABI-stability) that > dynamically linked executables benefit from security fixes in libraries > they depend on. > > What "some people argue" is true. If there is a vulnerability in zlib > (which actually happened a few years back), all that is needed is to > rebuild zlib and be happy. A statically linked system would need to find > every single binary that incorporates zlib and rebuild it. IMO either way this is a non-argument (in both directions), because any sane distribution should be able to pinpoint what needs to be rebuilt. > > This is true to some extend, but if there is a security flaw in a > dynamically linked library, all programs are affected as well; whereas > statically executables aren’t. > > This is the biggest pile of nonsense I ever read. If there is a flaw in > a library, all programs that use it are affected - including statically > linked executables that were built using that library. That wording seems lost in translation (it was written by Anselm, who is not a native English speaker). I suspect it is supposed to read "statically linked executables aren't affected by vulnerabilities in the dynamic libraries installed on your system". I'll rewrite that. IMO this is again a non-argument either way. > It is even worse: There is no easy way to determine which version of the > library a specific binary was built against. This is a security nightmare. Well, there isn't any more of a way to do that with dynamic linking, really, other than the fact it allows you to use a filename in which you can store the version number. But this is the purpose of a package manager, and documenting your build process. We could also argue that there is no standard way of storing version information in many languages, but that kind of misses the point, which is that the version is arbitrary, and should be metadata stored by the package manager.
Attachment:
pgpSL4r4wTw5c.pgp
Description: PGP signature