Hi Peter, Are we talking about the csc -static option? Doesn't this only link all eggs statically, and not their foreign dependencies (libc, libsqlite3 etc)?
>From what I gather, even if you do csc -static, you'll get system updates for foreign dependencies. Just not any automatic egg updates. K. On Thu, Dec 4, 2025, 04:14 Peter Bex via Chicken-users < [email protected]> wrote: > On Thu, Dec 04, 2025 at 12:31:42AM +0300, Alexey Egorov via Chicken-users > wrote: > > > What is it that you don't like in the static linking solution? > > > > Uh, that was not ideal choice of words. I don't dislike static > > linking, in fact I > > prefer it for simplicity, stability and general ease of use. > > > > The full story is, I want to package my software, some distros (e.g. > Gentoo) > > discourage the use of static linking for security reasons, and while > it's not > > forbidden to do so, I'd like to follow the guidelines as closely as > possible. > > I always thought those same distro guidelines also preferred to use > centralized installation of dependencies. For example, in Debian if > you install something like, say, Django it'll install python3-pytz, > python3-python3-yaml etc in the system-wide package location. > This also basically means you can only have one copy of each Python > package installed. > > Accepted best practices for Python software usually involves setting up > a virtualenv and installing it locally in the directory of a project so > you can control the exact python packages and don't run into dependency > hell due to clashes with the system-wide package, but distros completely > disregard these best practices for ease of packaging and (like you say) > security - upgrading one library fixes the security of all Python > programs relying on that library. > > I don't know Arch that well, but from a quick look at > https://archlinux.org/packages/extra/any/python-django/ it seems to > behave identically to Debian in this regard. > > So if you do decide to deviate from this practice with your CHICKEN > programs, I would suggest static linking of eggs is not meaningfully > different. The only benefit you'd get from dynamic linking in a > custom location is that you'd be able to get security updates for the > system C libraries the eggs in your program depend on. But if the eggs > themselves get a security update, your program would not automatically > benefit from that. > > Cheers, > Peter > >
