Static linking considered harmful

Tue Nov 28 14:45:33 UTC 2006

On 11/27/06, Callum Lerwick <seg at haxxed.com> wrote:
>
> Your only argument seems to be that these skillful programmers, that
> presumably have advanced math degrees if they're programming scientific
> number crunching apps, and can figure out how to statically compile
> their app, are too retarded to write a trivial one line wrapper script,
> run ldd on their app, and tar up their app with the libs it needs.
>

Going through the main points on
http://people.redhat.com/drepper/no_static_linking.html I don't see a
lot of justification for the complete removal of static linking
support in Fedora. So far the only proposed alternative to static
linking is this approach of sticking the .so files in with the program
and using LD_LIBRARY_PATH in a script -- which is almost just as bad
as static linking.

Here are the main points that Ulrich has made:

* Security holes and bugs can't be fixed by just updating the library
on the system

This is just as much an issue when using the .so file bundle method.

* No load address randomization

Not an issue with the .so file bundle method.

* Less efficient use of memory

Same issue with the .so file bundle method.

* Some libraries require dynamic linking which might try to load
incompatible external code

Same issue with the .so file bundle method.

* Possible accidental violation of the LGPL

Not an issue with shared object bundling, though I suppose for most
software that Fedora users build it's not an issue either

* ltrace and other tricks doesn't work

Not an issue with shared object bundling.

So the only advantages shared object bundling has over static linking are:
- Load address randomization
- ltrace and other small things don't work, and there is a (probably
rare) chance of violating the LGPL.

I just don't see why static linking support should be removed because
of these things. While exploits involving fixed addresses do happen,
it's really nothing compared to the risk involved in bundling possibly
broken and insecure libraries along with the application (whether by
static linking or other methods).

In my opinion the strongest argument against static linking is risk of
security bugs and incorrect hard-coding of system-specific actions,
which is just as much an argument against bundling shared objects with
a program.

I'm not defending static linking, but I just think that a better
alternative needs to be found for making portable binaries before we
remove support for it -- there's no point in causing migration
headaches for even a small number of developers/users unless we
actually have something reasonably better to offer.

n0dalus.