From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D3BEE1381F1 for ; Thu, 8 Mar 2018 15:59:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A7773E0960; Thu, 8 Mar 2018 15:59:36 +0000 (UTC) Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4C4EBE092F for ; Thu, 8 Mar 2018 15:59:36 +0000 (UTC) Received: by mail-vk0-x234.google.com with SMTP id b65so115658vka.2 for ; Thu, 08 Mar 2018 07:59:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scriptkitty-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=Cv1KufFvnPK2nDbvyvZipD7nKHXJtBgq9fcX1/4gcZU=; b=ZlRV0uUR8VSMc43j4JXhuxHvenJCern1Iilbgxw3V+4REttVpNMzCRZkUyMyIcZSGB 8Gk9L8tIHx+sOTSBlqNl7XABQIT6+qiZUltLs+b04hb7ZiO8KbqgY2pljemyr2xeqtNH XmqboOHYZsEeMPgYiBHqiibLyyuUjD4lwyjbuu92skRh7aFzA06OrEiMPmuEEQ/FqKEn 3OBZ/AZzo+22wjrW1CRUqhDL+R2ue0mli43JCsYOTk+VyE5/Oc8eOl1209wrg7FzXPc1 Dz8n/C7mda/egTrOhVlBbBimoQSSc0FPXEJK+/WBbECzpUHdk0aOPQSISm3NbbdItGhq i35g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=Cv1KufFvnPK2nDbvyvZipD7nKHXJtBgq9fcX1/4gcZU=; b=EOy9C7yUwC7DFFqawqcwaEjT5t9zfoePU/RxR66oJcL+imUwRVkDG20cThi32Fkpmz 6JTXnEchyOrLjRq2945foAyV+SggtUDvvmX3HXHGEG1z3mdPXGKbmmkccHerAhWhR9ko 6yN/puY7YvQs3ImKl6cIuM6tNO7a4iA3LEAh3VBObPzl/256YXZaq9BTBsaDLRy54xwY 6OheUq6duxDHHrkYyb10SMC55WJJiB7NkwyIooOkdEB5ikWUsy1UlCRQ51dZM7rRJ2pj iFoKmSlC6hqZH2hri9X+ehzjqIiYfRBKkPrYxra8O6x0XPnkhv84ixDwSM10AnSan1Pv TkqQ== X-Gm-Message-State: APf1xPA0eHm6gC1gE9YBk38NeyHpjyGDvaiAMR/bm+EEZx+k4OvKJOBw LMrn/9W4ddBeiyVmPaBbIrRIzkMu6TrBuKWpRCWjyvFR X-Google-Smtp-Source: AG47ELsupZFZOK5YncQ1ZUW7yPEAX4tWNCZQKPJWWXgiatvsjAjmO4TLKm4d6JZU3/zxtZy2z01/Zpow/LrtN1CRV08= X-Received: by 10.31.194.136 with SMTP id s130mr19434933vkf.118.1520524774857; Thu, 08 Mar 2018 07:59:34 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Sender: antarus@scriptkitty.com Received: by 10.176.85.93 with HTTP; Thu, 8 Mar 2018 07:59:34 -0800 (PST) X-Originating-IP: [2620:0:1003:512:e14b:3aa3:62b3:211] In-Reply-To: <1520523644.13614.14.camel@gentoo.org> References: <1520523644.13614.14.camel@gentoo.org> From: Alec Warner Date: Thu, 8 Mar 2018 10:59:34 -0500 X-Google-Sender-Auth: sDONfGfJSQoD8WbqxkYxcEKfNgI Message-ID: Subject: Re: [gentoo-dev] Proliferation of IUSE=static-libs in Gentoo To: Gentoo Dev Content-Type: multipart/alternative; boundary="001a1143036013ff970566e8c395" X-Archives-Salt: 30ef7883-9506-4681-a091-dbe3f80b0fd8 X-Archives-Hash: 75dc501a0c95821f7ec60ebdd3a3f2a4 --001a1143036013ff970566e8c395 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Mar 8, 2018 at 10:40 AM, Micha=C5=82 G=C3=B3rny = wrote: > Hello, developers. > > I would like to bring to your attention an alarming trend in Gentoo > ebuilds -- the proliferation of IUSE=3Dstatic-libs, that is a flag > allowing our users to build static libraries. > > I should like to remind you that static linking is almost always a bad > idea. It has serious security implications, it is poorly supported on > *nix systems (example: library dependencies are provided via hacks, we > don't have proper rebuild capabilities) and should be basically > considered a great evil. Partially relevant doc: [1]. > > This is why Gentoo does not generally support statically linking stuff, > and we force dynamic linking whenever possible (sometimes even going too > far with that but that's another story). We only allow static linking > for special cases where shared linking can't be used for one reason > or another. > > As part of that we also shouldn't deliver static libraries unless > absolutely necessary to satisfy the dependencies of applications which > we support built statically. Back in the day, Gentoo developers were > pushing against packages that built static libraries unconditionally. > However, it seems that at some point this front changed from 'fighting > unconditionally built static libraries' to 'proliferating USE=3Dstatic- > libs everywhere'. Which is bad. > > So to me this is a murky metadistribution / distribution problem. Like if upstream ships "--enable-static-libs" we should probably support a USE flag to enable it; this is the metadistribution use case.[1] For people actually running Gentoo, Gentoo strongly advises not building static libs (and we can disable the static-libs USE flag in a profile or otherwise encourage users not to use it because of all the reasons stated.) So, developers, please *stop adding USE=3Dstatic-libs* to random libraries > that have no reason whatever to be statically linked to. And by that I > mean a good reason, not creeping featurism, not 'user asked for it', not > 'this broken package hardcodes libfoo.a'. > > If upstream doesn't build static libraries by default, don't add flags > to make it do it. If upstream builds static libraries by default, just > pass '--disable-static' instead of adding a flag for it. If upstream > uses CMake and supports building only one type of libraries, there's no > need to write patches to make it behave like automake/libtool. > > Also, if your package has unnecessary IUSE=3Dstatic-libs that is not > correctly needed by any other package, please drop it. > > Please remember that not installing static libraries is the first step > towards preventing broken build systems from unnecessary linking to them > (think of upstreams who pass -Wl,-Bstatic unconditionally). > [1] I am somewhat empathetic to the argument that when we support something in the metadistribution but no distributions are using it; it can become stale / broken / untested and I'd consider not adding the flags on those grounds though. > > Thanks. > > [1]:https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies > > -- > Best regards, > Micha=C5=82 G=C3=B3rny > > > --001a1143036013ff970566e8c395 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Mar 8, 2018 at 10:40 AM, Micha=C5=82 G=C3=B3rny <mgorny@gentoo= .org> wrote:
Hello, develop= ers.

I would like to bring to your attention an alarming trend in Gentoo
ebuilds -- the proliferation of IUSE=3Dstatic-libs, that is a flag
allowing our users to build static libraries.

I should like to remind you that static linking is almost always a bad
idea. It has serious security implications, it is poorly supported on
*nix systems (example: library dependencies are provided via hacks, we
don't have proper rebuild capabilities) and should be basically
considered=C2=A0 a great evil. Partially relevant doc: [1].

This is why Gentoo does not generally support statically linking stuff,
and we force dynamic linking whenever possible (sometimes even going too far with that but that's another story). We only allow static linking for special cases where shared linking can't be used for one reason
or another.

As part of that we also shouldn't deliver static libraries unless
absolutely necessary to satisfy the dependencies of applications which
we support built statically. Back in the day, Gentoo developers were
pushing against packages that built static libraries unconditionally.
However, it seems that at some point this front changed from 'fighting<= br> unconditionally built static libraries' to 'proliferating USE=3Dsta= tic-
libs everywhere'. Which is bad.


So to me this is a murky metadistribut= ion / distribution problem.

Like if upstream ships= "--enable-static-libs" we should probably support a USE flag to = enable it; this is the metadistribution use case.[1]

For people actually running Gentoo, Gentoo strongly advises not building= static libs (and we can disable the static-libs USE flag in a profile or o= therwise
encourage users not to use it because of all the reasons= stated.)

So, developers= , please *stop adding USE=3Dstatic-libs* to random libraries
that have no reason whatever to be statically linked to. And by that I
mean a good reason, not creeping featurism, not 'user asked for it'= , not
'this broken package hardcodes libfoo.a'.

If upstream doesn't build static libraries by default, don't add fl= ags
to make it do it. If upstream builds static libraries by default, just
pass '--disable-static' instead of adding a flag for it. If upstrea= m
uses CMake and supports building only one type of libraries, there's no=
need to write patches to make it behave like automake/libtool.

Also, if your package has u= nnecessary IUSE=3Dstatic-libs that is not
correctly needed by any other package, please drop it.

Please remember that not installing static libraries is the first step
towards preventing broken build systems from unnecessary linking to them (think of upstreams who pass -Wl,-Bstatic unconditionally).

[1] I am somewhat empathetic= to the argument that when we support something in the metadistribution but= no distributions are using it; it can become stale / broken / untested
and I'd consider not adding= the flags on those grounds though.
=C2=A0

Thanks.

[1]:https://wiki.gentoo.org/wiki/Why_no= t_bundle_dependencies

--
Best regards,
Micha=C5=82 G=C3=B3rny



--001a1143036013ff970566e8c395--