Control: severity -1 wishlist 20.01.2013 01:03, Kees Cook wrote:
I would strongly prefer to avoid shipping a static library for this package to avoid programs linking to this non-dynamically, especially since it makes security updates more difficult to track.
Well, this is a standard excuse for a lack of static library, yet almost all other packages provides static libraries. Policy 8.3 says that the static library is _usually_ provided, but that does not mean it is mandatory. > Do you have a compelling need for this? That's a good question. Not anymore actually - I had this issue due to a bug in a way how qemu configure/Makefile system is written (a bug in there). Qemu has a very good reason to be compiled statically, -- namely their user targets, which are able to emulate foreign-arch cpu so that binaries from foreign architectures can be run in emulated mode on the host kernel. So a usual thing to do is to copy a statically-linked qemu-user binary into a foreign chroot and do a chroot there, -- it will work. qemu build/make scripts linked this qemu-user binary with -lseccomp, and that obviously fails due to lack of static library. But this linking was due to error actually, -- seccomp is not used and makes no sence for qemu-user targets, it makes sence only for qemu-system targets, ie, for full-system emulation, where the set of system calls needed is known. I fixed this bug in qemu now, so static -lseccomp isn't needed by qemu anymore. But the lack of static library appears to be quite.. unusual, since other libs provide static versions. So, I downgraded severity to a wishlist at least, since I don't have a good reason for that. Thanks, also for finding a bug in qemu! :) /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
