On Thu, Sep 06, 2007 at 02:27:25PM +0200, Lionel Elie Mamane wrote: > (Explicitly CCing Edward in the assumption he's not subscribed to this > list. The message I'm answering to is at > http://lists.debian.org/debian-devel/2007/09/msg00145.html . I'd like > to be CCed an followups, although subscribed.) > > On Wed, Sep 05, 2007 at 09:38:14AM -0400, Roberto C. Sánchez wrote: > > On Wed, Sep 05, 2007 at 03:16:07PM +0200, Steffen Moeller wrote: > >> On Wednesday 05 September 2007 13:23:46 Edward Welbourne wrote: > > >>> I'm confused. Pierre appears to be saying "static is bad", Bruce > >>> "closed must be static". > > >> There are multiple views on this. > > > The problem runs a little deeper than that. > > > Static linking is considered bad because it is a security > > nightmare. You now have extra copies of library code floating > > around. Dynamic linking is what the security team likes since it > > means that you only update the code once for the whole system. > > However, in the event that there is an update which makes the > > library non-binary compatible, then there is another problem. That > > is, apps linking against it must be recompiled. With a non-free > > product like opera, there would be ability for some well-meaning > > Roberto meant "would *not* be ability", I presume. > Quite right. My brain works faster than I can type.
> > Debian Developer to NMU the package (since there is no source) or > > for a binNMU to take place if that could fix the problem. > > (That is in the context of a security problem in a library, > naturally.) > > > Additionally, static linking destroys any memory utilization benefit of > > library code. (...) > > > One possible solution would be for Opera to produce a "source" > > package of unlinked binary object files. This would allow relinking > > against new versions of the libraries (at least in most cases) > > without the need for access to the source. > > This is already legally required anyway, assuming you link with LGPL > code: section 6 of LGPL 2.1. Putting it in a Debian "source package" > would only put it in a most convenient form for your users. > Right. My point was that distributing it in such a fashion might address some of the concerns (though not all, of course) about having something like Opera even in non-free. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
