Re: Shared libraries

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Shared libraries
From: hasufell <hasufell@...>
Date: Tue, 13 May 2014 20:27:42 +0000

hasufell:
> Hi,
> 
> libraries that only support static builds are no friends of packagers,
> since this can be a practical security problem for the user.
> E.g. project foo statically links liblua.a of version 5.1.5. A day
> later, it is uncovered that lua-5.1.5. is vulnerable... distros upgrade
> the version. However, all applications that have it statically linked
> are not necessarily upgraded. This is a non-trivial problem to figure
> out (some packages may have optional lua support, did the user in case
> of a source distro compile it with or without lua, etc.).
> It requires tracking every single package that statically links lua.
> Also, in case of lua being bundled in projects, it gets even more
> complicated. Then imagine proprietary games, that have it statically
> linked or just regular packages the user compiled himself without any
> package manager.
> 
> All in all, statically linking only makes sense in very few cases.
> 
> I skimmed through the mailing list and found 2-3 threads about this
> issue. None of them do have a good explanation why this is not
> implemented. One said it doesn't work without libtool on all platforms,
> but I wonder:
> * how is this even an argument? At least implement it on platforms where
> it works. Your Makefile already has platform-specific targets.
> * what's wrong with libtool?
> 
> On gentoo shared lua build via libtool is reported to work (and
> supported) on these architectures: alpha, amd64, arm, hppa, ia64, mips,
> ppc, ppc64, s390, sh, sparc, x86
> 
> Patch is in the gentoo cvs repository [0] and could be edited to suit
> your needs.
> 
> 
> --
> [0]
> http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/lua/files/lua-5.1-make-r1.patch?view=markup
> 

I'm confused why this thread gets ignored.

You probably don't realize that distros randomly fix this and cause more
of a mess for lua users, because there is no consistency whatsoever.

Not fixing this also breaks compatibility with C# programs under linux
that cannot link to the static lib (you don't want to link it statically
into mono).

This effectively decreases quality of lua.

Follow-Ups:
- Re: Shared libraries, Coda Highland
- Re: Shared libraries, Dirk Laurie
- Re: Shared libraries, William Ahern
- Re: Shared libraries, David Demelier

References:
- Shared libraries, hasufell

Prev by Date: Lpeg Cg question
Next by Date: Re: Shared libraries
Previous by thread: Shared libraries
Next by thread: Re: Shared libraries
Index(es):
- Date
- Thread