[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Policy re. static linking of binaries ? (SSH)

> Hi,
> SSH is currently dynamically linked against libc5, gmp, and zlib1.
> IMHO it should be statically linked, since it is a security program, and 
> might  otherwise have its security affected by the replacement of one of
> these libraries --- what do others think ?

Well, library replacements are usually bug _fixes_! So, upon upgrading
your libc to a new version, you'll instantly fix the bugs in sshd
_if_ it's dynamically linked. What gain is there in linking it static?
Only to ensure the bugs live longer in sshd!

(It's only sshd you are interested in: ssh (the user programme) gets
executed by the user, and any user can build a ssh version with any
shared/static libc version he likes anyway, wheter debian includes a 
shared or static ssh).

joost witteveen, joostje@debian.org
#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
#what's this? see http://www.dcs.ex.ac.uk/~aba/rsa/

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: