Ken Moffat wrote:
> On Sun, Jan 08, 2012 at 11:20:33PM +0000, Matt Burgess wrote:
>> Seriously though, I would like to see LFS consider removing as many
>> static libs as possible. If nothing else, it helps massively in keeping
>> systems secure as you only have to upgrade the *1* copy of the
>> compromised library rather than trawl through logs to see what packages
>> brought in a copy of the static library. It also helps with the usual
>> shared library advantages of only having one copy loaded and one copy on
>> disk, though the performance and space benefits are admittedly probably
>> negligible on today's machines.
> I'm all in favour. Following suggestions from Andy, my base lfs
> is down to libc_nonshared, libg, libieee, libm, libpthread_nonshared,
> librpcsvc, libsupc++ for static libs in /usr/lib. I've also got
> static libs in /usr/lib/gcc : libgcc, libgcc_eh, libgcov - I presume
> only gcc will find it easy to use those.
>
> From time to time I've stepped in and deleted libraries when I'm
> sure they're not needed. Meanwhile, I rename them to {,.hidden}
> until I'm sure I don't need them - still got a load of those from
> the toolchain, but I've now built enough to know I don't need them.
> [ in my toolkit is a function to list all .a files in /usr/lib,
> remove those above from the list, and then rename the rest ]
>
> I'm sure some people developing code prefer static libs.
The reason a developer would want a static library is that he would be
reasonably sure that someone changing a dynamic library will not break
the application. Trying to trace a problem that pops up in program xxx
because of a change in yyy.so is, at a minimum, very difficult.
> If we do get rid of these, there is some fun and games for libz in
> module-init-tools and for libcrypt in sysvinit (Andy had a
> suggestion, but since it's from glibc I've left it as hidden and
> just rename it during the sysvinit build).
>
> Also, we forcibly install a libiberty.h header in binutils, as well
> as libiberty.a (I thought we force installed the lib, but I was
> wrong). Last time I looked, it seemed that all packages which need
> libiberty should ship with their own version.
I'm not sure I agree. Checking a version of RHEL, there are 193 static
libraries. Ubuntu has 78. I think we may be chasing a solution without
a problem. I only remember one problem with static libs and IIRC that
was several years ago (zlib).
I don't have a problem with a user removing unnecessary static libs, but
we shouldn't do it for them. If upstream installs it by default, then
so should we.
Perhaps a better place to address this is HLFS.
-- Bruce
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
