#790 Revise Packaging Guidelines to stop discouraging static libraries.
Opened 2 years ago by ohchahy1. Modified 2 years ago

The ability for a developer using a Fedora system to create static
executables, or to link one or more libraries statically in an
otherwise dynamic executable, is a very powerful capability. This
ability I consider a compelling reason to fully support packaged
static libraries.

Since I can find no rationale for this portion of the guidelines I
can't refute any possible arguments in favor of the current advise.

Metadata Update from @tibbs:
- Issue tagged with: draftneeded

2 years ago

The reason we discourage static libraries predates Fedora, so that may be why it's not here. The rule was borne out of the experience of dealing with fixing vulnerabilities in common copied libraries in the early 2000s. In particular, the most notable being zlib.

We discourage the usage of static libraries as inputs for package builds for this reason. And in the early days, static libraries were bundled in the devel package along with everything else (Debian still does this, for example). That made it easy for software build tools to just prefer static libraries and silently slip those into the build.

These days, we require static libraries to be subpackaged out, though the guidelines do not indicate that they need to hard-require the devel package (they should, as they're useless otherwise).

I don't think we should ban static libraries being built, but we should mandate that they are subpackaged out, and we should do something to ensure that we know whenever static libraries are used as build inputs and tracked and strongly discourage their use for Fedora packages.

I personally have no problem with allowing static libraries to be built as long as they are packaged in accordance with our guidelines. We do already have a general prohibition against a package having a build dependency on any *-static subpackage (though under the current organization it feels like it's a bit buried). This still needs a draft, though. Now you can even send a PR if you like.

The guidelines don't generally include rationale and since the current restriction predates any extant ticketing system it's not possible to point to one.

Login to comment on this ticket.