On Thu, Jul 01, 2010 at 02:26:52AM +0900, Mamoru Tasaka wrote: > Michael Schwendt wrote, at 07/01/2010 02:09 AM +9:00: > > There are dozens of -devel packages, which contain static libs only, > > but don't provide a virtual -static package. > > > > What about OCaml? > > https://fedoraproject.org/wiki/Packaging:OCaml > > is not mentioning static libraries at all. > > I am not familiar with OCaml but the above guideline says that > "OCaml does not support dynamic linking of binaries". That statement is confusing and untrue - I didn't want to add it to the original guidelines. OCaml supports dynamic linking to C code and always has, and it is always used, eg: $ ldd /usr/bin/virt-top linux-vdso.so.1 => (0x00007fff891e8000) libvirt.so.0 => /usr/lib64/libvirt.so.0 (0x0000003fc8000000) libncursesw.so.5 => /lib64/libncursesw.so.5 (0x00000035f4c00000) libm.so.6 => /lib64/libm.so.6 (0x00000035f3000000) [etc] OCaml < 3.11 didn't support dynamic linking to *natively compiled* OCaml libraries (only to ones compiled as bytecode). Since OCaml 3.11, both native and bytecode dynamic linking are fully supported. However even with 3.11 we still don't commonly dynamically link to native OCaml libraries. Because it's a new feature, this requires a very large upstream, toolchain and packaging effort, even assuming that it's worth doing at all. OCaml libraries don't suffer the sorts of common security bugs which so frequently affect C libraries, and C libraries have always been dynamically linked, plus there are a lot fewer pure OCaml libraries around. The effect of this is that for OCaml *programs* (not libraries) if there was ever a security bug in a dependent pure OCaml library, we would need to recompile both the library and the program. Other libraries wouldn't be affected, because those don't contain the code of the dependency. There has never been a security bug related to OCaml code in an OCaml library, and only two security bugs related to OCaml packages at all: one was to some C code in ocaml-camlimages [package now defunct] and another was insecure /tmp handling in the coccinelle program. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
