modules

Bennett Todd bet at rahul.net
Wed Jan 7 08:58:28 PST 2004


2004-01-07T08:06:07 Ken Moffat:
> On Tue, 6 Jan 2004, Bennett Todd wrote:
> > I happen to like monolithic kernels, along with entirely
> > statically linked systems with no support for dynamic libraries
> > at all, but then I'm a knuckle-dragging barbarian.
> 
>  Sounds fun the next time there's a vulnerability in something
> like zlib - "oh, I've just got to rebuild _everything_".

Yup. Fortunately, I'm also positively rabid about software
packaging, with strong enough tools (rpm, or more recently a new
tool I'm inventing) to completely and robustly automate rebuilding.

While I'm not there yet, I do have the design and plan to add
automated build-time dependency mgmt to my new packaging system, at
which point it'll be easy to automate rebuilding everything that
linked against libz.a.

I really love losing dynamic libraries; with them go most
inter-package dependencies, O Joy!

On general-purpose workstations I do keep support for dynamic
loading around, e.g. perl wants all those lovely dynamically
loadable extensions. But I don't have any .sos in /lib or /usr/lib,
and when I build purpose-specific servers they tend to have vmlinuz,
busybox, perhaps dropbear if I want ssh remote admin, and only the
other daemons that the server actually needs to function.

So yup, I'm willing to lose the ability to slide an updated version
of a dynamic library in underneath all the binaries that use it, in
favour of losing the multiple-package shared dependence on dynamic
libs.

I wouldn't claim that security is my motivation for doing this,
and I'm not sure I could defend a claim that my approach improves
security overall. I don't think it hurts it, though, and it improves
speed and flexibility.

-Bennett

P.S. Actually, I told a lie above, while I've built custom servers
as I described, I've not yet finished building a standalone
general-purpose workstation without shared libs. Still work in
progress.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20040107/423e85f9/attachment.sig>


More information about the hlfs-dev mailing list