On Fri, 13 Feb 2015 13:54:59 +0100, Ralf Corsepius wrote: > Meanwhile, we've had much more critical vulnerablities in widely used > libs (Remember heartbleed), which all have been quite easy to fix > packaging-wise. IMO, to a great portion, thanks to having mostly banned > static linkage and bundling.
There's more to it, too. Static linking is not only a risk with regard to security vulnerabilites. You cannot retest against an updated static lib without relinking the dependencies. You don't learn about new runtime breakage (or regressions) caused by the changed static lib, because the programs still use an old lib linked into them. The changed lib may have been out for many weeks as an update, but nothing test-drives it. What a surprise, if the lib were found to cause a sudden problem for a minor rebuild of a program. Or worse, if the rebuild were released quickly because of expecting it to be harmless, but the static lib under the hood has changed and breaks runtime for users. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
