On 2013-09-27 16:36, Thomas Bächler wrote:
In his 'Aren’t statically linked executables huge?' section, he wants to say that statically linked binaries are not as big as people think. For that, he compares two binaries of ksh:
Static uclibc: 170KB Dynamic glibc: 234KB
This comparison is entirely worthless. glibc is not optimized for size and has lots of overhead (as he correctly states). Compile and link the same code dynamically against uclibc and you will get something in the tens of kilobytes.
I use OpenWRT on an embedded device, and they use uclibc and dynamically linked libraries/binaries everywhere - the size difference to statically linked binaries is incredibly huge here, to the point that using static linking will result in a firmware image too large to even flash.
In fact, statically linked executables ARE huge and he is wrong.
He wants to criticise dynamic linking, but in fact only compares uclibc to glibc.
You've missed the point, which is about the currently tolerated size vs. the actual size of linking with uclibc. It's not a direct comparison.
That wording seems lost in translation (it was written by Anselm, who is not a native English speaker). I suspect it is supposed to read "statically linked executables aren't affected by vulnerabilities in the dynamic libraries installed on your system". I'll rewrite that.
Statically linked binaries are affected by the vulnerabilities in the static libraries that were installed on your system _at build time_.
That is what needs to be said here and it is the single strongest argument against static linking. The language barrier is no excuse for not saying that.
I don't see how that wasn't implicit, even in his version...
It is even worse: There is no easy way to determine which version of the library a specific binary was built against. This is a security nightmare.
Well, there isn't any more of a way to do that with dynamic linking,
There is no need to do it with dynamic linking: Any bugs (relevant to security or not) are not in the binary, but only in the shared library. Replacing the shared library with a fixed version solves the bug.
There is a reason that there is package metadata.