[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packaging of static libraries

On Sun, 10 Apr 2016, Clint Adams wrote:
> On Mon, Apr 11, 2016 at 12:13:20AM +0800, Paul Wise wrote:
> > We should change policy and packaging tools such that static linking
> > are not enabled by default and only enabled when there is a good
> > reason to do so; when requested by users or when there is some other
> 
> No, we should not.

Agreed.  The correct fix is to:

1) make it clearn that static linking is to be used only when strongly
justified (e.g. system rescue tools like sash).

2) add dependency metadata to track this, so that a tool can schedule
binNMUs as required when a statically-linked dependency gets updated, and so
that it won't cause extra heartburn for the security team.

3) add a way to automatically generate the metadata for (2) during package
build, otherwise it is pointless to even try.

I have a hunch we even have some (maybe even all) of this already...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: