[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Policy re. static linking of binaries ? (SSH)

On Fri, 11 Jul 1997 01:57:36 BST Philip Hands (phil@hands.com) wrote:

> SSH is currently dynamically linked against libc5, gmp, and zlib1.
> IMHO it should be statically linked, since it is a security program, and might 
> otherwise have its security affected by the replacement of one of these 
> libraries --- what do others think ?

Then let's statically link rlogin, rsh, etc...

> Another reason for static linking is that it provides a way of recovering from 
> failed installs of ld.so and the like.  I have been saved by this in the past, 
> when doing remote upgrades.

Then let's link statically init, bash, ls, e2fsck, dumpe2fs, etc...

> On a related issue, the upstream source for SSH includes the source for both 
> gmp, and zlib1.  Should I be using those, or the Debian versions to link 
> against ?

Debian versions, otherwise it gives you no gain.

We have a policy to use dynamically linked programs everywhere.
IMHO this is a good thing. When one starts to link statically for security's sake (to be proven it's more secure) or for recovery purposes (that what the rescue disk is for), we never stop.
Plus it obliges to recompil everytime a new version of a library is released.

Let's keep our policy.


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: