On Thu, Mar 8, 2018 at 10:40 AM, Michał Górny <mgo...@gentoo.org> wrote:
> Hello, developers. > > I would like to bring to your attention an alarming trend in Gentoo > ebuilds -- the proliferation of IUSE=static-libs, that is a flag > allowing our users to build static libraries. > > I should like to remind you that static linking is almost always a bad > idea. It has serious security implications, it is poorly supported on > *nix systems (example: library dependencies are provided via hacks, we > don't have proper rebuild capabilities) and should be basically > considered a great evil. Partially relevant doc: [1]. > > This is why Gentoo does not generally support statically linking stuff, > and we force dynamic linking whenever possible (sometimes even going too > far with that but that's another story). We only allow static linking > for special cases where shared linking can't be used for one reason > or another. > > As part of that we also shouldn't deliver static libraries unless > absolutely necessary to satisfy the dependencies of applications which > we support built statically. Back in the day, Gentoo developers were > pushing against packages that built static libraries unconditionally. > However, it seems that at some point this front changed from 'fighting > unconditionally built static libraries' to 'proliferating USE=static- > libs everywhere'. Which is bad. > > So to me this is a murky metadistribution / distribution problem. Like if upstream ships "--enable-static-libs" we should probably support a USE flag to enable it; this is the metadistribution use case.[1] For people actually running Gentoo, Gentoo strongly advises not building static libs (and we can disable the static-libs USE flag in a profile or otherwise encourage users not to use it because of all the reasons stated.) So, developers, please *stop adding USE=static-libs* to random libraries > that have no reason whatever to be statically linked to. And by that I > mean a good reason, not creeping featurism, not 'user asked for it', not > 'this broken package hardcodes libfoo.a'. > > If upstream doesn't build static libraries by default, don't add flags > to make it do it. If upstream builds static libraries by default, just > pass '--disable-static' instead of adding a flag for it. If upstream > uses CMake and supports building only one type of libraries, there's no > need to write patches to make it behave like automake/libtool. > > Also, if your package has unnecessary IUSE=static-libs that is not > correctly needed by any other package, please drop it. > > Please remember that not installing static libraries is the first step > towards preventing broken build systems from unnecessary linking to them > (think of upstreams who pass -Wl,-Bstatic unconditionally). > [1] I am somewhat empathetic to the argument that when we support something in the metadistribution but no distributions are using it; it can become stale / broken / untested and I'd consider not adding the flags on those grounds though. > > Thanks. > > [1]:https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies > > -- > Best regards, > Michał Górny > > >
