[CentOS] CentOS and GCC Question

Wed Jan 9 15:18:36 UTC 2008
William L. Maltby <CentOS4Bill at triad.rr.com>

On Tue, 2008-01-08 at 21:43 -0800, Michael A. Peters wrote:
> <snip>

> I don't know what reasons the wiki gives, but if a bug (security or 
> other) exists in a library and you statically link against it, then when 
> that bug is fixed - you have to rebuild all apps  that linked against 
> the static lib or they will continue to contain the bug even, even when 
> the library is updated. With shared libraries, that isn't an issue. With 
> shared libraries, updating the library is all you need to do.

<disclaimer>
I believe in shared libraries and disavow any proclivity towards static
linking as an SOP. However ...
</disclaimer>

Just to add a little balance to the mix, I want to point out that if a
*really* secure and stable environment is needed and is managed by an
attentive and highly competent administrator, the static link avoids the
pitfall that besets shared libraries. If a shared library with a major
flaw - especially security related - is installed, the potential problem
instantly propagates to every application using that library.

As has been detailed, so do the fixes.

OTH, an application(s) that is(are) statically linked may be re-linked
and used as a test vehicle(s) before general application of the updated
library is begun. Although *not* an assurance of stability and correct
operation, this can permit a *relatively* more secure and stable
environment.

The downsides are obvious. The benefits less so. The environment should
determine the choice, with proper balance of cost vs. benefit.

No discussion of imprecise overhead estimates need be posted here. All
are well known and fall under the category of evaluation in a
cost/benefit scenario.

> 
> zlib I believe was a real world example of this - some years ago (red 
> hat 5 ??), zlib was found to have a bug that could potentially be 
> exploited. A lot of apps linked against the static library. Even after 
> zlib had been updated, those apps were still vulnerable until they were 
> recompiled.

And of course, the flip side is that if shared libraries had been in
use, all applications that linked to it would have been immediately
vulnerable.

The longer the time from the dissemination of the flaw to the
dissemination of the fix, the greater the window of opportunity for
black hats and/or disastrous corruption.


> <snip sig stuff>

-- 
Bill