Am Mon, 01 Feb 2010 15:14:27 +0100 schrieb Jan de Groot <jan@jgc.homeip.net>:
If a program is built static against an insecure library, upgrading the insecure library means the static binary is still vulnerable. That's what Allan means.
Well, that's obvious.
When we switch to glibc-based initramfs, there shouldn't be any need for static compiled binaries anymore, ever.
Do you know, when this is planned? Nevertheless I don't think that this is always the choice of a package maintainer because if a software still requires statical libraries because upstream decides so like fbsplash then this hasn't much to do with the initramfs. I don't think that upstream cares much about an initramfs of a specific distro. But maybe I can ask spock to build a package without statical linking if this is possible in this case. But until then the static libraries are at least in some cases necessary.
Static libraries are bad. Besides taking up diskspace, they're just bad to use. Ulrich Drepper has a nice PDF about this.
Do you have a link to this PDF? Greetings, Heiko