Hi Simon
On Sun, Jan 14, 2024 at 10:47:18AM +0100, Simon Josefsson wrote:
> As an analogy, consider the ./configure scripts that is generated by
> autoconf during build of many packages. The script typically generate
> code that is put into config.h that is used (statically) during
> compilation of the binaries that are shipped by Debian.
Could you show an example, where there is actually code injcted in this
stage? And then, this is vendoring, not static linking.
> You could also compare how the source-level reuse-library gnulib is used
> by many essential packages (coreutils, grep, sed, awk, tar, etc), with
> large code-reuse that influences the installed binaries. A security
> sensitive bug in gnulib would require rebuild of many packages.
That is not static linking, this is vendoring. And can you show that
GNU utils don't fix security bugs on this vendored lib?
> My suggestion is that we relax or remove the Go/Rust statement in future
> release notes.
No. You described completely different circumstances.
Or do you have a practical solution for the static linking problem, not
the vendoring problem that you actually compared it against?
Bastian
--
A father doesn't destroy his children.
-- Lt. Carolyn Palamas, "Who Mourns for Adonais?",
stardate 3468.1.
