This page aims to document the downsides and mitigations we have in place for those downsides as well as improving the situation in Debian around static linking.
- It requires rebuilding the world when the libraries change.
- It is harder to track than dynamic linking.
- It prevents memory sharing between different executables using the same code.
- It renders some security measure less effective (ASLR for example).
- To comply with the DFSG and GNU GPL, we need to keep old source around.
- Possible to ship incomplete libs. Eg. foo() depends on bar() but bar() not present at link time.
Code can be built non-fpic, which can be 5-20% faster due to register pressure, depending on arch. (Especially numerical code). NB: With gcc-5, -fPIC has less overhead on at least x86/i386: https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
Various technology in Debian uses or is affected by static linking.
C libraries support static linking and files are named *.a and can be unpacked with the ar tool from binutils.
Packages can declare they were built using code from other packages by using the Built-Using header and the Debian archive keeps around old sources, marking them with the Extra-Source-Only header. Debian Policy unfortunately says that Built-Using may *only* be used for the purposes of DFSG/license compliance so tracking static linking must be done using custom headers.
Lintian detects binaries that have been statically linked.
All Haskell libraries are statically linked into the final binary.
The release team have a transition that tracks Haskell rebuilds.
All OCaml libraries are statically linked into the final binary.
The release team have a transition that tracks OCaml rebuilds.
The go tool from golang currently requires all libraries be available in source form and then builds everything into one binary. These source files in the -dev packages are the equivalent of the .a file.
When using gccgo-5 (go -gccgo), the Go runtime library is dynamically linked against an executable, however everything else is again linked "statically".
Michael Hudson-Doyle has tried building shared go libraries. Support for dynamic linking (for amd64 only) has been in Ubuntu for a while. But this plan is just abandoned now.
The golang tooling generates Built-Using headers for all(both direct and indirect) dependencies.
Lisp libraries are cl-* packages shipping the source code in /usr/share/common-lisp/, similar to Go libraries. The compiler (e.g. sbcl) builds a static binary from all used cl-* packages.
The default for Rust is static linking but dynamic linking is available with rustc -C prefer-dynamic.
browserify and other tools merge together multiple JS files for shipping to browsers.
Java has "uberjars" which bundle dependencies into the pre-built jar files.
The Debian archive keeps around old sources referenced by the Built-Using header, marking them with the Extra-Source-Only header.
Manual binNMUs can be done for packages that declare a Built-Using header.
For safety reasons, binaries should be linked dynamically to include hardening features e.g. ASLR. A user should be able to presume that binaries shipped by Debian are safe to use in front-facing (e.g. web services) scripts, etc.
More automatic detection of static linking? #698398
Make it easier to add Built-Using?
Change debian-policy & lintian to discourage static linking?