From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 865381382C5 for ; Thu, 8 Mar 2018 15:40:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 68AB1E0905; Thu, 8 Mar 2018 15:40:51 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1CA8FE0814 for ; Thu, 8 Mar 2018 15:40:50 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 1CBC8335C09; Thu, 8 Mar 2018 15:40:48 +0000 (UTC) Message-ID: <1520523644.13614.14.camel@gentoo.org> Subject: [gentoo-dev] Proliferation of IUSE=static-libs in Gentoo From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev Date: Thu, 08 Mar 2018 16:40:44 +0100 Organization: Gentoo Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 698152a0-817c-4f59-8565-9dfb8c6fca97 X-Archives-Hash: 2dada80c2b9c85b0e83e6328428bf8ab Hello, developers. I would like to bring to your attention an alarming trend in Gentoo ebuilds -- the proliferation of IUSE=static-libs, that is a flag allowing our users to build static libraries. I should like to remind you that static linking is almost always a bad idea. It has serious security implications, it is poorly supported on *nix systems (example: library dependencies are provided via hacks, we don't have proper rebuild capabilities) and should be basically considered a great evil. Partially relevant doc: [1]. This is why Gentoo does not generally support statically linking stuff, and we force dynamic linking whenever possible (sometimes even going too far with that but that's another story). We only allow static linking for special cases where shared linking can't be used for one reason or another. As part of that we also shouldn't deliver static libraries unless absolutely necessary to satisfy the dependencies of applications which we support built statically. Back in the day, Gentoo developers were pushing against packages that built static libraries unconditionally. However, it seems that at some point this front changed from 'fighting unconditionally built static libraries' to 'proliferating USE=static- libs everywhere'. Which is bad. So, developers, please *stop adding USE=static-libs* to random libraries that have no reason whatever to be statically linked to. And by that I mean a good reason, not creeping featurism, not 'user asked for it', not 'this broken package hardcodes libfoo.a'. If upstream doesn't build static libraries by default, don't add flags to make it do it. If upstream builds static libraries by default, just pass '--disable-static' instead of adding a flag for it. If upstream uses CMake and supports building only one type of libraries, there's no need to write patches to make it behave like automake/libtool. Also, if your package has unnecessary IUSE=static-libs that is not correctly needed by any other package, please drop it. Please remember that not installing static libraries is the first step towards preventing broken build systems from unnecessary linking to them (think of upstreams who pass -Wl,-Bstatic unconditionally). Thanks. [1]:https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies -- Best regards, Michał Górny