Bug#555980: debian-policy: No policy on statically linked binaries

[Russ Allbery <rra@debian.org>]

Bill Allombert <ballombe@debian.org> writes:
> On Sun, Nov 15, 2009 at 06:00:13PM -0800, Russ Allbery wrote:

>> This is the case that we're talking about here.  In other words,
>> *entirely* static binaries.  What you get with gcc -static.

> Thus I propose the attached patch.
> (I used 'must' instead of 'should' since the FTP masters are rejecting
> such packages). I explicitely mentionned the GNU C libraries.
> Binaries linked with some other C libraries are a completly different
> kind of fish.

Something of a pet peeve of mine in standards language is to have an
absolute requirement ("must") with a somewhat vague and subjective
exception.  It's not that this is wrong, per se, but I feel like the
subjective exception and the absolute requirement cancel each other out.

Usually I argue for relaxing it to a should.  In this case, I think we can
flesh out the exception somewhat better and preserve the must.

          Binary executables must not be statically linked with the GNU C
          library, since this prevents the binary from benefiting from
          fixes and improvements to the C library without being rebuilt
          and complicates security updates.  This requirement may be
          relaxed for binary executables whose intended purpose is to
          diagnose and fix the system in situations where the GNU C
          library may not be usable (such as system recovery shells or
          utilities like ldconfig) or for binary executables where the
          security benefits of static linking outweigh the drawbacks.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>