Mailinglist Archive: opensuse-packaging (104 mails)

< Previous Next >
Re: [opensuse-packaging] Splitting up binary packages for large SDKs
On 8/7/18 6:04 PM, Marcus Meissner wrote:
On Tue, Aug 07, 2018 at 06:00:21PM +0200, Michael Ströder wrote:
On 8/7/18 5:39 PM, Michael Matz wrote:
There are cases where we deliver static libs, they are usually historic
cases, or where upstream doesn't provide shared libs (and they can't be
made easily). But no new static libs without Very Good Reasons (tm).

Some people consider security issues with dynamic linking of setuid
executables a good reason to link those statically (or completely avoid
certain shared libs).

I'm no expert on this though.

THis is superstition.

The libvirt developers were concerned about one such case:

"Also note when building the setuid libvirt pieces we must never use GNUTLS because its library constructors do very bad things leading to CVEs."

https://www.redhat.com/archives/libvirt-users/2018-June/msg00001.html

If you static link libraries, we need to release updates for the library
for both the library and the setuid binary ...

Hmm, but with the OBS processing build dependencies this should not be such a big deal for a couple of setuid binaries. Or?

Ciao, Michael.

< Previous Next >