On 2013-09-27 16:36, Thomas Bächler wrote: > In his 'Aren’t statically linked executables huge?' section, he wants to > say that statically linked binaries are not as big as people think. For > that, he compares two binaries of ksh: > > Static uclibc: 170KB > Dynamic glibc: 234KB > > This comparison is entirely worthless. glibc is not optimized for size > and has lots of overhead (as he correctly states). Compile and link the > same code dynamically against uclibc and you will get something in the > tens of kilobytes. > > I use OpenWRT on an embedded device, and they use uclibc and dynamically > linked libraries/binaries everywhere - the size difference to statically > linked binaries is incredibly huge here, to the point that using static > linking will result in a firmware image too large to even flash. > > In fact, statically linked executables ARE huge and he is wrong. > > He wants to criticise dynamic linking, but in fact only compares uclibc > to glibc. You've missed the point, which is about the currently tolerated size vs. the actual size of linking with uclibc. It's not a direct comparison. > > That wording seems lost in translation (it was written by Anselm, who > > is not a native English speaker). I suspect it is supposed to read > > "statically linked executables aren't affected by vulnerabilities in the > > dynamic libraries installed on your system". I'll rewrite that. > > Statically linked binaries are affected by the vulnerabilities in the > static libraries that were installed on your system _at build time_. > > That is what needs to be said here and it is the single strongest > argument against static linking. The language barrier is no excuse for > not saying that. I don't see how that wasn't implicit, even in his version... > >> It is even worse: There is no easy way to determine which version of the > >> library a specific binary was built against. This is a security nightmare. > > > > Well, there isn't any more of a way to do that with dynamic linking, > > There is no need to do it with dynamic linking: Any bugs (relevant to > security or not) are not in the binary, but only in the shared library. > Replacing the shared library with a fixed version solves the bug. There is a reason that there is package metadata.
Attachment:
pgpuoSW8SYPWB.pgp
Description: PGP signature
