Package: debian-policy Severity: important Dear Maintainer,
Current (3.9.8.0) Policy mandates non-PIC static libraries with a few exceptions: --- 10.2 Libraries ... (paragraph about shared libs) As to the static libraries, the common case is not to have relocatable code, since there is no benefit, unless in specific cases; therefore the static version must not be compiled with the -fPIC flag. Any exception to this rule should be discussed on the mailing list debian-de...@lists.debian.org, and the reasons for compiling with the -fPIC flag must be recorded in the file README.Debian. [86] In other words, if both a shared and a static library is being built, each source unit (*.c, for example, for C files) will need to be compiled twice, for the normal case. --- I think with the spreading of PIE binaries the "... since there is no benefit ..." claim does not stand anymore. Non-PIC static libraries can't be linked to PIE binaries thus they are less useful for code sharing among packages. There is also a plan to use a specially configured GCC on several architectures which builds PIE binaries by default and that needs PIC static libraries for not statically linked binaries. [1] Planned archive-wide enabling of bindnow (-Wl,-z,now) hardening setting in dpkg [3] also decreases the speed advantage of non-PIC static libraries. I would like to suggest revising the Policy text and at least allowing shipping PIC static libraries without broader discussion and documentation. I would be in favor of even encouraging PIC for static libraries because that would allow compiling them to PIE binaries. I have already filed many bugs [4] related to the transition to PIE by defauld where the problem can be solved easily by providing PIC static libraries. Note that many packages ship only static libs. Thanks, Balint [1] https://wiki.debian.org/Hardening/PIEByDefaultTransition [2] https://lists.debian.org/debian-devel/2016/05/msg00309.html [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835146 [4] https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=pie-bindnow-20160906&user=balint%40balintreczey.hu
