packaging a static library

Ralf Corsepius rc040203 at
Tue Dec 29 13:41:18 UTC 2009

On 12/29/2009 11:52 AM, Daniel Drake wrote:
> Hi,
> OLPC's security system uses libtomcrypt / tomsfastmath, both at the
> Linux level and the firmware level.
> OLPC has previously had a specific version of tomcrypt/tommath
> profesionally audited for security reasons. So we obviously want to
> stick with that version.
> A few packages we have in Fedora currently use this frozen, audited
> version - we do so by shipping duplicate copies of that source code
> within the individual packages, rather than linking against the dynamic
> systemwide equivalents.
> As we're now looking at making another package which uses yet another
> duplicate copy of this code base I'm wondering if we can do it better.
> Could I add a package, named olpc-bios-crypto-devel (a subpackage of the
> to-be-packaged olpc-bios-crypto), which installs the .a files for the
> audited libraries somewhere on the system?
> Then the individual components that rely on this library (e.g. bitfrost,
> olpc-contents, olpc-bios-crypto) would have a BuildRequires dependency
> on olpc-bios-crypto-devel and build against the 'systemwide' static .a
> library files.
> Or am I going too far against common packaging practice at this point?
Yes. You are outsmarting yourselves and not doing good to other users of 
the libraries, IMO.

If all users of the library were using the same, identical shared 
versions, everybody would benefit from your "auditing", maintainers 
would benefit from "issues being fixed" at one place, users would 
benefit from you not shipping statically linked packages.

> Any alternative suggestions?
Use system-wide, shared versions only, unless there are technical 
reasons for not doing so - Your rationale doesn't provide such.


More information about the fedora-devel-list mailing list