Felix Lechner pushed to branch master at lintian / lintian
Commits: 4c091cd2 by Felix Lechner at 2022-01-13T10:47:57-08:00 Turn embedded-library into a classification tag. (Closes: #932634) Linking statically may no longer be a packaging error in 2022. Many ostensibly modern languages such as Golang, Rust or Haskell link most or all libraries statically into the binaries they produce. For some time, I tried to find other identifying characteristics that would distinguish the C library libyaml, when linked in statically, from binaries in other statically linked languages. Vexingly for this purpose, the newer YAML implementations seem to mirror the strings found in the C version with amazing accuracy. The sole exception was the string "found a tab character that violate indentation" (missing an S) but it seemed unwise to rely on a misspelling that might be corrected, even while the defective string was still present in the latest libyaml version in unstable. Of course, the security considerations stated in the tag description still apply, but those issues reach nowadays far beyond static linking. My desperate searches on codesearch.d.n were furter befuddled by many vendored sources that should perhaps not be there. [1] After some reflection, the Security Team likely has to examine all embedded versions of affected libraries even when the mode of linking is not actionable by the Debian distributor because a language works that way. As a compromise, this commit hides the tag from everyday users but keeps the information accessible via our website's JSON interface [2] for anyone researching security matters. Thanks to Helen Koike for bringning the matter to our attention! [1] For an example, see yaml.v2 here: https://sources.debian.org/src/golang-github-coreos-discovery-etcd-io/2.0.0+git2019.04.19.git.78fb45d3c9-4/Gopkg.lock/#L543-L549 [2] https://lintian.debian.org/query - - - - - 1 changed file: - tags/e/embedded-library.tag Changes: ===================================== tags/e/embedded-library.tag ===================================== @@ -1,5 +1,5 @@ Tag: embedded-library -Severity: error +Severity: classification Check: libraries/embedded Explanation: The given ELF object appears to have been statically linked to a library. Doing this is strongly discouraged due to the extra work @@ -9,4 +9,5 @@ Explanation: The given ELF object appears to have been statically linked to If the package uses a modified version of the given library it is highly recommended to coordinate with the library's maintainer to include the changes on the system version of the library. -See-Also: debian-policy 4.13 +See-Also: + debian-policy 4.13 View it on GitLab: https://salsa.debian.org/lintian/lintian/-/commit/4c091cd2d2433e434e3b4326e094ed14534cd3cf -- View it on GitLab: https://salsa.debian.org/lintian/lintian/-/commit/4c091cd2d2433e434e3b4326e094ed14534cd3cf You're receiving this email because of your account on salsa.debian.org.
