Henrique de Moraes Holschuh <hmh@debian.org> writes:
> On Thu, 11 Aug 2005, Piotr Roszatycki wrote:
>> Hi. The problem is important not only for libnss-db package but also for
>> libnss-ldap, libnss-mysql and others.
>>
>> $ ldd /usr/lib/libnss_db.so.2 | grep /usr
>> libdb-4.3.so => /usr/lib/libdb-4.3.so (0xb7e10000)
>
> Well, IMHO anything used by libnss needs to either be statically linked (and
> make 200% sure that:
> 1. you *WILL* update next-day it if security fixes or other major updates
> to any of the statically linked libraries are released -- this is a
> total pain.
> 2. any dynamic libraries needed are in /lib, and *all* of them use
> versioned symbols
> 3. all of the nss module AND static AND dynamic libs are thread-safe AND
> reentrant-safe
> )
>
> Otherwise you have a critical bug in the system, waiting to happen.
> If you can't get all of the above to be true, it is time to remove that
> particular libnss module from Debian.
>
> libnss modules are *extremely* critical to the system. They are implicitly
> linked to *EVERY* running binnary that is linked against libc (instead of,
> say, dietlibc).
I believe nss modules are even dlopened in a static libc. There is no
way to link them in static.
MfG
Goswin