packaging a static library

Ralf Corsepius rc040203 at
Wed Dec 30 07:05:19 UTC 2009

On 12/30/2009 07:29 AM, Jon Masters wrote:
> On Tue, 2009-12-29 at 14:41 +0100, Ralf Corsepius wrote:
>> On 12/29/2009 11:52 AM, Daniel Drake wrote:
>>> OLPC has previously had a specific version of tomcrypt/tommath
>>> profesionally audited for security reasons. So we obviously want to
>>> stick with that version.
>>> A few packages we have in Fedora currently use this frozen, audited
>>> version - we do so by shipping duplicate copies of that source code
>>> within the individual packages, rather than linking against the dynamic
>>> systemwide equivalents.

>> If all users of the library were using the same, identical shared
>> versions, everybody would benefit from your "auditing", maintainers
>> would benefit from "issues being fixed" at one place, users would
>> benefit from you not shipping statically linked packages.
> One presumes that such auditing is expensive, lengthy, and not often to
> be repeated. Committing to undertaking a full code audit on every update
> would seem to be a little unreasonable of a request. So I think it's
> obvious that if they want to use an audited version, there will have to
> be a separate audited version.

Well, I disagree: If they want to use "their auditied version", they 
haven't understood how open source works. They qualify as jerks who 
prefer to use proprietary forks instead of "paying back" to "upstream" 
and the wider user-base.


More information about the fedora-devel-list mailing list