On Sat, 24 Dec 2011 03:04:10 +0000
Ken Moffat <[email protected]> wrote:
> This is also why some of us have a bee in our bonnets about static
> libraries - if it's only used within a package, no problem. If it's
> installed into /usr/lib as libfoo.a then you'd better have a means
> of identifying what used it in case you need to fix a vulnerability.
> For myself, my buildscripts have a function which moves static libs
> in /usr/lib to libfoo.a.hidden (except for *some* toolchain libs -
> I've never had time to sort out all those that *need* to be static :
> basically, if there is a vulnerability in the toolchain, it's time
> to build a new LFS system).
For what it's worth, I've managed to reduce the number of static libs
to 8, all from gcc, binutils or glibc:
andy@eccles:~$ ls /usr/lib/*.a
/usr/lib/libc_nonshared.a /usr/lib/libmcheck.a
/usr/lib/libg.a /usr/lib/libpthread_nonshared.a
/usr/lib/libiberty.a /usr/lib/librpcsvc.a
/usr/lib/libieee.a /usr/lib/libsupc++.a
It may be possible to get rid of some of these, but fiddling with them
got time consuming so I gave up.
>
> So, on my desktop I know that firefox uses (from memory) libcrmf.a
> - the build failed, so now my scripts rename the hidden static lib
> when building firefox.
This is from nss? This works for me:
ar -x libcrmf.a &&
gcc -shared *.o -o /usr/lib/libcrmf.so &&
rm /usr/lib/libcrmf.a
Firefox is quite happy with a shared libcrmf. I wrote a function that
generalises it:
function convert_static_to_shared() {
rm -rf /tmp/conversion
mkdir /tmp/conversion
pushd /tmp/conversion
mv /usr/lib/lib${1}.a .
ar -x lib${1}.a
gcc -shared *.o -o /usr/lib/lib${1}.so
popd
rm -rf /tmp/conversion
}
convert_static_to_shared crmf
Some things need to be compiled with -fPIC in there CFLAGS before their
static libs can be converted to shared.
> Similarly, on my current desktop I've got
> only static libs from nettle
rm /usr/lib/lib{hogweed,nettle}.a
Works for me.
> I know that both gnutls and
> glib-networking use them. Security, even at this minimal level, is
> almost as much 'fun' as editing the books ;-)
For me, gnutls and glib-networking seem to be quite happy with the
shared libs.
Andy
--
http://linuxfromscratch.org/mailman/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/lfs/faq.html
Unsubscribe: See the above information page
