On 8/7/18 6:04 PM, Marcus Meissner wrote:
On Tue, Aug 07, 2018 at 06:00:21PM +0200, Michael Ströder wrote:
On 8/7/18 5:39 PM, Michael Matz wrote:
There are cases where we deliver static libs, they are usually historic cases, or where upstream doesn't provide shared libs (and they can't be made easily). But no new static libs without Very Good Reasons (tm).
Some people consider security issues with dynamic linking of setuid executables a good reason to link those statically (or completely avoid certain shared libs).
I'm no expert on this though.
THis is superstition.
The libvirt developers were concerned about one such case: "Also note when building the setuid libvirt pieces we must never use GNUTLS because its library constructors do very bad things leading to CVEs." https://www.redhat.com/archives/libvirt-users/2018-June/msg00001.html
If you static link libraries, we need to release updates for the library for both the library and the setuid binary ...
Hmm, but with the OBS processing build dependencies this should not be such a big deal for a couple of setuid binaries. Or? Ciao, Michael.