Differences between revisions 5 and 6
Revision 5 as of 2015-05-19 07:31:55
Size: 2059
Editor: ?VincentBernat
Comment: More downsides.
Revision 6 as of 2015-05-19 07:45:03
Size: 2349
Editor: PaulWise
Comment: license compliance
Deletions are marked like this. Additions are marked like this.
Line 16: Line 16:
 * To comply with the DFSG and GNU GPL, we need to keep old source around.
Line 50: Line 51:
The Debian archive keeps around old sources referenced by the [[https://www.debian.org/doc/debian-policy/ch-relationships.html#s-built-using|Built-Using]] header, marking them with the Extra-Source-Only header.

Intro

In general Debian Policy allows static linking but it has various downsides.

This page aims to document the downsides and mitigations we have in place for those downsides as well as improving the situation in Debian around static linking.

Downsides

  • It requires rebuilding the world when the libraries change.
  • It is harder to track than dynamic linking.
  • It prevents memory sharing between different executables using the same code.
  • It renders some security measure less effective (ASLR for example).
  • To comply with the DFSG and GNU GPL, we need to keep old source around.
  • ??

Affected

Various technology in Debian uses or is affected by static linking.

C libraries

C libraries support static linking and files are named *.a and can be unpacked with the ar tool from binutils.

Packages can declare they were built using code from other packages by using the Built-Using header and the Debian archive keeps around old sources, marking them with the Extra-Source-Only header.

Lintian detects binaries that have been statically linked.

Haskell

All Haskell libraries are statically linked into the final binary.

The release team have a transition that tracks Haskell rebuilds.

OCaml

All OCaml libraries are statically linked into the final binary.

The release team have a transition that tracks OCaml rebuilds.

Go

??

Mitigation

The Debian archive keeps around old sources referenced by the Built-Using header, marking them with the Extra-Source-Only header.

Manual binNMUs can be done for packages that declare a Built-Using header.

Change debian-policy to discourage static linking?