lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]



Le 13/05/2014 22:27, hasufell a écrit :
hasufell:
Hi,

libraries that only support static builds are no friends of packagers,
since this can be a practical security problem for the user.
E.g. project foo statically links liblua.a of version 5.1.5. A day
later, it is uncovered that lua-5.1.5. is vulnerable... distros upgrade
the version. However, all applications that have it statically linked
are not necessarily upgraded. This is a non-trivial problem to figure
out (some packages may have optional lua support, did the user in case
of a source distro compile it with or without lua, etc.).
It requires tracking every single package that statically links lua.
Also, in case of lua being bundled in projects, it gets even more
complicated. Then imagine proprietary games, that have it statically
linked or just regular packages the user compiled himself without any
package manager.

All in all, statically linking only makes sense in very few cases.

I skimmed through the mailing list and found 2-3 threads about this
issue. None of them do have a good explanation why this is not
implemented. One said it doesn't work without libtool on all platforms,
but I wonder:
* how is this even an argument? At least implement it on platforms where
it works. Your Makefile already has platform-specific targets.
* what's wrong with libtool?

On gentoo shared lua build via libtool is reported to work (and
supported) on these architectures: alpha, amd64, arm, hppa, ia64, mips,
ppc, ppc64, s390, sh, sparc, x86

Patch is in the gentoo cvs repository [0] and could be edited to suit
your needs.


--
[0]
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/lua/files/lua-5.1-make-r1.patch?view=markup

I'm confused why this thread gets ignored.

You probably don't realize that distros randomly fix this and cause more
of a mess for lua users, because there is no consistency whatsoever.

Not fixing this also breaks compatibility with C# programs under linux
that cannot link to the static lib (you don't want to link it statically
into mono).

This effectively decreases quality of lua.

Lua is by default built as a static library yes. But almost all distros provide dynamic libraries too. And on Windows it is really easy to build as a DLL too. I personally use a CMakeLists.txt for that purpose.

I completely agree with you, maybe Lua authors can add additional target to build dynamic libraries too?

I think Lua authors do not want to start using tools like libtool, automess and such because it's too much unix centric.

Regards,
David.