Leandro Lucarella wrote: > If you use dynamic linking, the user just need to keep its system updated > to avoid this kind of issues, and you only need to care about new release > when the bugs are really from your program, not third-party libraries.
No, that's backwards. If the user gets the application and library from a central repository (e.g. apt-get), then it is the responsibility of the repository maintainer(s) to keep everything up to date. Getting a patched executable from the repository is no more or less effort for the user than getting a patched library from the repository. Putting a new executable up is no more or less effort for the repository maintainer(s) than putting a new library up. If the user gets the application and library from the application developer, then it's the responsibility of the application developer to keep everything patched. Getting a patched executable is still no more or less effort for the user than getting a patched library. Putting a new executable up is no more or less effort for the application developer than putting a new library up. If the user gets the application and library from separate developers, then keeping the library up to date is the responsibility of the library developer. Getting software from multiple sources is /more/ effort for the user. Furthermore, library developers are rarely set up to distribute software to the end user. Often the library developers don't even distribute binaries. In summary, there are no cases where dynamic linking makes security updates easier for the end user. There are cases where this separation makes security updates a lot harder for the end user. -- Rainer Deyke - [email protected]
