Building Tools From Source

Ralf Corsepius ralf.corsepius at rtems.org
Fri Sep 21 02:56:04 UTC 2012


On 09/21/2012 12:15 AM, Chris Johns wrote:
> Ralf Corsepius wrote:
>>
>> * The symlinks are a way to build these libraries from source while
>> building GCC. This means static linking and therefore is not
>> necessarily a good idea.
>>
>
> I think for RTEMS having these libraries built with GCC (statically
> linked or not) has advantages. The reasons statically linking can be
> considered harmful are well known [1] how-ever having these libraries
> that are an important part of the compiler controlled as part of the
> compiler's configuration set goes a long way to simplifying the
> verification and validation audit. If I was currently responsible for
> building a critical application I would like to be able to audit and
> provide to the V&V team the exact configuration used for testing,
> development and release. For me this means aways building the tools from
> source.

Well, that's the common argument proponents of static linkage come up 
with. With my Fedora Packaging Committee hat on, I cannot avoid to call 
this view "short-sighted" and "dangerous".

Apart from the technical problems static linkage can imply (It's often 
not possible - Does not apply to gmp, mpfr and mpc), experience from 
history tells, in longer terms, static linkage is guaranteed to be hit 
by the downsides of static linkage by different extends.

Prominent example from history: The zlib incident ca. 15 years ago. 
Then, zlib was suffering from security senitive bugs, which had gone 
through unnoticed for a long time. Tnanks to the fact everybody used 
statically linked zlibs, then, when these issues were finially noticed, 
fixing this issue was very tedious for OS vendors and product vendors.

In other words, when vendor supplied libraries suffer from bugs, you're 
better off using shared libs. I don't know if Apple or a trustworthy 3rd 
party supplies binaries for gmp, mpfr, mpc on MacOS (I would be 
surprised if this does not apply), you're likely better off using these 
libraries and to apply shared linkage and not to use your "homegrown" 
static versions.

Ralf





More information about the users mailing list