On Fri, Dec 23, 2011 at 06:22:37PM -0700, [email protected] wrote: > > I just hope that decision to use the Perl lib's included ZLib won't bite > me later. I was nice to see the compilation take a long time and the > tests to all pass... but not enough to settle with a broken system by > the end of the book. > It *probably* won't. The main reason to use 'system' libraries instead of versions shipped with another package (we see this a lot more in BLFS) is that the version shipped with another package is set in stone when the package is released. It's also normally linked statically.
There is nothing wrong with static linking within a package. But, many years ago, there was a problem with a vulnerability in a library that had been included in *many* other packages. It took a *long* while to identify all the packages shipping copies of that library, and then to either patch them or change the builds to use the system version - for either fix, the package had to be recompiled. Meanwhile the package itself had been fixed, and everything using the shared 'system' version was fixed as soon as the new version was installed. And that package was ... zlib. I don't think it's very likely that a similar problem will occur in current versions of zlib, but you can never tell whether an included version is current without spending time investigating, and once bitten, twice shy. This is also why some of us have a bee in our bonnets about static libraries - if it's only used within a package, no problem. If it's installed into /usr/lib as libfoo.a then you'd better have a means of identifying what used it in case you need to fix a vulnerability. For myself, my buildscripts have a function which moves static libs in /usr/lib to libfoo.a.hidden (except for *some* toolchain libs - I've never had time to sort out all those that *need* to be static : basically, if there is a vulnerability in the toolchain, it's time to build a new LFS system). So, on my desktop I know that firefox uses (from memory) libcrmf.a - the build failed, so now my scripts rename the hidden static lib when building firefox. Similarly, on my current desktop I've got only static libs from nettle - I know that both gnutls and glib-networking use them. Security, even at this minimal level, is almost as much 'fun' as editing the books ;-) Hope the rest of your build goes ok. ĸen [ since you're new here : 'ken' if you aren't using UTF-8 or can't render the 'ĸ'] -- das eine Mal als Tragödie, das andere Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
