On 11/27/06, Callum Lerwick <seg@xxxxxxxxxx> wrote:
Your only argument seems to be that these skillful programmers, that presumably have advanced math degrees if they're programming scientific number crunching apps, and can figure out how to statically compile their app, are too retarded to write a trivial one line wrapper script, run ldd on their app, and tar up their app with the libs it needs.
Going through the main points on http://people.redhat.com/drepper/no_static_linking.html I don't see a lot of justification for the complete removal of static linking support in Fedora. So far the only proposed alternative to static linking is this approach of sticking the .so files in with the program and using LD_LIBRARY_PATH in a script -- which is almost just as bad as static linking. Here are the main points that Ulrich has made: * Security holes and bugs can't be fixed by just updating the library on the system This is just as much an issue when using the .so file bundle method. * No load address randomization Not an issue with the .so file bundle method. * Less efficient use of memory Same issue with the .so file bundle method. * Some libraries require dynamic linking which might try to load incompatible external code Same issue with the .so file bundle method. * Possible accidental violation of the LGPL Not an issue with shared object bundling, though I suppose for most software that Fedora users build it's not an issue either * ltrace and other tricks doesn't work Not an issue with shared object bundling. So the only advantages shared object bundling has over static linking are: - Load address randomization - ltrace and other small things don't work, and there is a (probably rare) chance of violating the LGPL. I just don't see why static linking support should be removed because of these things. While exploits involving fixed addresses do happen, it's really nothing compared to the risk involved in bundling possibly broken and insecure libraries along with the application (whether by static linking or other methods). In my opinion the strongest argument against static linking is risk of security bugs and incorrect hard-coding of system-specific actions, which is just as much an argument against bundling shared objects with a program. I'm not defending static linking, but I just think that a better alternative needs to be found for making portable binaries before we remove support for it -- there's no point in causing migration headaches for even a small number of developers/users unless we actually have something reasonably better to offer. n0dalus. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
