Bug#555980: debian-policy: No policy on statically linked binaries

[Jonathan Nieder <jrnieder@gmail.com>]

Hi,

Russ Allbery wrote:

> Usually I argue for relaxing it to a should.  In this case, I think we can
> flesh out the exception somewhat better and preserve the must.
>
>           Binary executables must not be statically linked with the GNU C
>           library, since this prevents the binary from benefiting from
>           fixes and improvements to the C library without being rebuilt
>           and complicates security updates.  This requirement may be
>           relaxed for binary executables whose intended purpose is to
>           diagnose and fix the system in situations where the GNU C
>           library may not be usable (such as system recovery shells or
>           utilities like ldconfig) or for binary executables where the
>           security benefits of static linking outweigh the drawbacks.

Seconded.

If the goal is to align with ftpmaster requirements, another possibility
is to explicitly say

 * packages must not install binaries or object files statically
   linked against glibc unless:

   * the package has a name ending with -static,
   * the final has a name ending with -static or .static, or
   * the package installs a Lintian override file explaining why the
     statically linked object is needed.

I think I prefer your suggestion, though.

Thanks,
Jonathan