packaging a static library

Jon Masters jonathan at
Wed Dec 30 06:29:29 UTC 2009

On Tue, 2009-12-29 at 14:41 +0100, Ralf Corsepius wrote:
> On 12/29/2009 11:52 AM, Daniel Drake wrote:

> > OLPC has previously had a specific version of tomcrypt/tommath
> > profesionally audited for security reasons. So we obviously want to
> > stick with that version.
> >
> > A few packages we have in Fedora currently use this frozen, audited
> > version - we do so by shipping duplicate copies of that source code
> > within the individual packages, rather than linking against the dynamic
> > systemwide equivalents.


> > Or am I going too far against common packaging practice at this point?
> Yes. You are outsmarting yourselves and not doing good to other users of 
> the libraries, IMO.

I think the argument could go both ways. In the case of OLPC, they're
providing Open Source pieces that are similar to things like the TPM
technologies in other systems. If a certain major PC chip manufacturer
decided to release all of the design and code schematics for their TPM
chips, the community would probably praise them...and then wonder what
the potential could be for a bad library release to undermine them.

> If all users of the library were using the same, identical shared 
> versions, everybody would benefit from your "auditing", maintainers 
> would benefit from "issues being fixed" at one place, users would 
> benefit from you not shipping statically linked packages.

One presumes that such auditing is expensive, lengthy, and not often to
be repeated. Committing to undertaking a full code audit on every update
would seem to be a little unreasonable of a request. So I think it's
obvious that if they want to use an audited version, there will have to
be a separate audited version.


More information about the fedora-devel-list mailing list