bet at rahul.net
Wed Jan 7 08:58:28 PST 2004
2004-01-07T08:06:07 Ken Moffat:
> On Tue, 6 Jan 2004, Bennett Todd wrote:
> > I happen to like monolithic kernels, along with entirely
> > statically linked systems with no support for dynamic libraries
> > at all, but then I'm a knuckle-dragging barbarian.
> Sounds fun the next time there's a vulnerability in something
> like zlib - "oh, I've just got to rebuild _everything_".
Yup. Fortunately, I'm also positively rabid about software
packaging, with strong enough tools (rpm, or more recently a new
tool I'm inventing) to completely and robustly automate rebuilding.
While I'm not there yet, I do have the design and plan to add
automated build-time dependency mgmt to my new packaging system, at
which point it'll be easy to automate rebuilding everything that
linked against libz.a.
I really love losing dynamic libraries; with them go most
inter-package dependencies, O Joy!
On general-purpose workstations I do keep support for dynamic
loading around, e.g. perl wants all those lovely dynamically
loadable extensions. But I don't have any .sos in /lib or /usr/lib,
and when I build purpose-specific servers they tend to have vmlinuz,
busybox, perhaps dropbear if I want ssh remote admin, and only the
other daemons that the server actually needs to function.
So yup, I'm willing to lose the ability to slide an updated version
of a dynamic library in underneath all the binaries that use it, in
favour of losing the multiple-package shared dependence on dynamic
I wouldn't claim that security is my motivation for doing this,
and I'm not sure I could defend a claim that my approach improves
security overall. I don't think it hurts it, though, and it improves
speed and flexibility.
P.S. Actually, I told a lie above, while I've built custom servers
as I described, I've not yet finished building a standalone
general-purpose workstation without shared libs. Still work in
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the hlfs-dev