[CentOS] CentOS and GCC Question

Wed Jan 9 05:43:54 UTC 2008
Michael A. Peters <mpeters at mac.com>

Garrick Staples wrote:
> On Wed, Jan 09, 2008 at 02:00:13PM +1300, Clint Dilks alleged:
>   
>> *snip*
>>     
>
> The '-static' means that the linker needs to find a static library archive to
> create a static executable.  That means it wants to find /usr/lib/libmhash.a.
> Without the '-static', it would look for the shared library, libmhash.so.
>
> The mhash-devel package doesn't contain libmhash.a, so your test linking fails.
>
> It has been fedora/upstream policy for while to discourage the packaging of
> static archive files.  I'm sure the Fedora wiki has a page explaining why, but
> I'm too lazy to find it right now.
I don't know what reasons the wiki gives, but if a bug (security or 
other) exists in a library and you statically link against it, then when 
that bug is fixed - you have to rebuild all apps  that linked against 
the static lib or they will continue to contain the bug even, even when 
the library is updated. With shared libraries, that isn't an issue. With 
shared libraries, updating the library is all you need to do.

zlib I believe was a real world example of this - some years ago (red 
hat 5 ??), zlib was found to have a bug that could potentially be 
exploited. A lot of apps linked against the static library. Even after 
zlib had been updated, those apps were still vulnerable until they were 
recompiled.