[arch-general] glibc 2.18-5 question

Chris Down chris at chrisdown.name
Fri Sep 27 10:10:42 EDT 2013 

On 2013-09-27 15:13, Thomas Bächler wrote:
> Am 27.09.2013 14:56, schrieb Chris Down:
> > Well, static libraries are not a waste of space if it was intentional.
> > Static linking should be preferred for a number of reasons[0], they
> > should be preferred in any sane Linux distribution (of which,
> > unfortunately I can't name any at the moment until stali comes out).
> >
> > 0: http://sta.li/faq
>
> Nothing about using static libraries is sane. That FAQ seems to be about
> some bitterness about glibc and its code, which has nothing to do with
> static and dynamic linking.

Not really. The releated references to glibc are more about refuting the
"size" argument when linking against it (as opposed to a more sane
libc).

> Now, to the key point:
>
> > Aren’t statically linked executables less secure?
> >
> > Several people argue (with implicitly requiring ABI-stability) that
> dynamically linked executables benefit from security fixes in libraries
> they depend on.
>
> What "some people argue" is true. If there is a vulnerability in zlib
> (which actually happened a few years back), all that is needed is to
> rebuild zlib and be happy. A statically linked system would need to find
> every single binary that incorporates zlib and rebuild it.

IMO either way this is a non-argument (in both directions), because any
sane distribution should be able to pinpoint what needs to be rebuilt.

> > This is true to some extend, but if there is a security flaw in a
> dynamically linked library, all programs are affected as well; whereas
> statically executables aren’t.
>
> This is the biggest pile of nonsense I ever read. If there is a flaw in
> a library, all programs that use it are affected - including statically
> linked executables that were built using that library.

That wording seems lost in translation (it was written by Anselm, who
is not a native English speaker). I suspect it is supposed to read
"statically linked executables aren't affected by vulnerabilities in the
dynamic libraries installed on your system". I'll rewrite that.

IMO this is again a non-argument either way.

> It is even worse: There is no easy way to determine which version of the
> library a specific binary was built against. This is a security nightmare.

Well, there isn't any more of a way to do that with dynamic linking,
really, other than the fact it allows you to use a filename in which you
can store the version number. But this is the purpose of a package
manager, and documenting your build process. We could also argue that
there is no standard way of storing version information in many
languages, but that kind of misses the point, which is that the version
is arbitrary, and should be metadata stored by the package manager.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130927/410a206e/attachment.asc>

More information about the arch-general mailing list