Suggestion: Static libs policy, a draft (was: Re: Static linking considered harmful)

Dmitry Butskoy buc at odusz.so-cdu.ru
Mon Nov 27 15:04:45 UTC 2006 

There seems that some compromise might be possible here.
I try to formulate certain approximate theses.

First of all, static libraries (if present) must go to the separate 
package ("-devel-static" or just "-static").


In order to support any static link, the "main system library", libc.a, 
must be present anyway


1. IF a library is needed for some binary which are built static in 
Core, such a library must have static variant too.
In other words, for all statically linked executables in Core 
(recovering, init/boot time etc.), all the libraries which take place in 
the correspond static linkage must be present.

2. ELSE IF the library hardly depends on some particular environment, it 
must not have static variant.
For example, static linking with Gnome or KDE seems to be unuseful anyway.

3. ELSE IF the library processes any data which usually or potentially 
might come on a computer from an "external world", or if it designed to 
operate with some kind of "external world", such a library must not have 
static variant.
Here all the wide-used binary contents (graphic, compress, crypt) and 
network protocols (ssl, X).
(Most often security issues are related for such types of libraries).

4. ELSE IF the library seems to be useful for static linking in some 
specific local environments, and there are some known users (or some 
known kind of users) who use it, this library should have the static 
variant.
Here, for example, all "numeric/scientific" libraries (as already 
discussed for portability), maybe even ncurses, etc.

5. ELSE
    All another libraries must not have static by default. If some user 
request for it, the library's maintainer may provide static variant. The 
library's maintainer should provide a way for user to re-compile the 
library statically -- for example, by rpmbuild option "--with-static" 
and correspond condition macros in the .spec file.


In short words:
1. if        Used for static linking something in Core -- yes
2. elseif  Unuseful anyway -- no
3. elseif  Dangerous for security -- no
4. elseif  Some kind of users use it locally -- yes
5. else   maybe, but default -- no

Libraries of p.1 certainly should be available on CD/DVD, but libraries 
of p.4/p.5 must be distributed the same way as "-debuginfo" packages 
(i.e,, outside of the main distro trees).


Dmitry Butskoy
http://www.fedoraproject.org/wiki/DmitryButskoy


P.S. Please note, that it is just a draft... ;)

More information about the fedora-devel-list mailing list