From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eli Collins To: 9fans@cse.psu.edu Subject: Re: [9fans] acme, rio workalike available in plan 9 ports In-Reply-To: <470cd428ca4b59ae758c764934935bf0@terzarima.net> Message-ID: References: <470cd428ca4b59ae758c764934935bf0@terzarima.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Tue, 20 Apr 2004 11:40:18 -0500 Topicbox-Message-UUID: 637e3662-eacd-11e9-9e20-41e7f4b1d025 On Tue, 20 Apr 2004, Charles Forsyth wrote: > >>Oracle had to build/test/ship a new version of their code every time > > i think they still have to test their software with the changed bit, regardless whether the library > is statically or dynamically linked! indeed, i'd have thought one > advantage of static linking in that case is that the thing being run > is more likely to be the thing that was tested, without (say) > a new malloc being substituted by dynamic linking. > For security bugs this is a major disadvantage, because you never want to keep an old copy of the library around. A buffer overflow in strcmp is now present in practically every binary on the system. Security bugs need to be fixed asap -- updating copies of all your applications (which you might not have sources for) just to get rid of a single buffer overflow seems unacceptable. This of course assumes you can easily track different versions of strcmp in all your applications with static linking, which is time intensive at best.