static libraries' policy: possible solution

Michael A. Peters mpeters at mac.com
Thu Nov 17 18:20:58 UTC 2005


On Thu, 2005-11-17 at 10:01 -0500, Jeff Spaleta wrote:

> I understand and accept the argument that there will be situations
> where a developer will want to link statically in situations which run
> counter to Extras packaging policy standards, for example in-house
> development needs.  How much easier can rebuilding srpms locally be
> made so that statics can be recovered sanely?

If static are not split off - then the next yum update would remove
their rpm that has the static libraries. So you'll end up with
developers using exclude in their yum conf - which is an even bigger
security problem than including the static .a files.

OTOH if static libraries were their own package, they could be made
available via yum - including updates. Your common user doesn't need to
install them, only people who need to link against them would install
them - and they would have them updated via yum when there are bugs that
are found and patched.

I realize its a lot of work to modify existing spec files to add a new
sub package, but it isn't that much more work than modifying existing
spec files to remove the static files.

They then would only be installed by explicit request, which means they
aren't pulled in by yum - so the only people who get them are those who
specifically want them, and when they do get them - they can be updated
automagically when the parent package is updated. That will reduce
vulnerable binaries because a developer was too lazy to rebuild the
src.rpm every time a security issue is found and resolved.




More information about the fedora-extras-list mailing list