lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi,

libraries that only support static builds are no friends of packagers,
since this can be a practical security problem for the user.
E.g. project foo statically links liblua.a of version 5.1.5. A day
later, it is uncovered that lua-5.1.5. is vulnerable... distros upgrade
the version. However, all applications that have it statically linked
are not necessarily upgraded. This is a non-trivial problem to figure
out (some packages may have optional lua support, did the user in case
of a source distro compile it with or without lua, etc.).
It requires tracking every single package that statically links lua.
Also, in case of lua being bundled in projects, it gets even more
complicated. Then imagine proprietary games, that have it statically
linked or just regular packages the user compiled himself without any
package manager.

All in all, statically linking only makes sense in very few cases.

I skimmed through the mailing list and found 2-3 threads about this
issue. None of them do have a good explanation why this is not
implemented. One said it doesn't work without libtool on all platforms,
but I wonder:
* how is this even an argument? At least implement it on platforms where
it works. Your Makefile already has platform-specific targets.
* what's wrong with libtool?

On gentoo shared lua build via libtool is reported to work (and
supported) on these architectures: alpha, amd64, arm, hppa, ia64, mips,
ppc, ppc64, s390, sh, sparc, x86

Patch is in the gentoo cvs repository [0] and could be edited to suit
your needs.


--
[0]
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/lua/files/lua-5.1-make-r1.patch?view=markup