Static linking considered harmful
Leszek Matok
Lam at Lam.pl
Wed Nov 22 17:38:13 UTC 2006
Dnia 22-11-2006, śro o godzinie 12:10 -0500, Jakub Jelinek napisał(a):
> If you want bit-reproduceable results, you can equally well
> just stick the shared libraries you need into the same directory as the
> program
This way you still don't upgrade a library to the bug-free version if
you don't remember about that. You save compiling time, true. But you
still have to remember, which library has to be copied (instead of
linked in). I thought the main point of the discussion was the security
issues raising when someone forgets to relink some program.
> and run it as
> ./ld-linux*.so.2 --library-path . ./the_numerical_program arguments
This leads to users having LD_LIBRARY_PATH set to ".", which is a huge
security risk by itself (and many times greater than staticly linked
programs, IMO). Don't tell me users will use your hard to remember and
type line - there'll be tens of howtos suggesting LD_LIBRARY_PATH=.
everywhere in the Internet if you do that.
I'm for making -devel-static packages and sticking with the policy of
discouraging, not disallowing compiling programs as static.
Lam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: To jest cz??? listu podpisana cyfrowo
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20061122/c2a81469/attachment.sig>
More information about the fedora-devel-list
mailing list