what actually uses xdr_mem.c?
Jacques A. Vidrine
nectar at FreeBSD.org
Thu Mar 27 03:46:20 PST 2003
On Wed, Mar 26, 2003 at 11:45:04PM -0600, D J Hawkey Jr wrote:
> OK, I now have to take this a little off-topic, and ask the following:
>
> Given that it's improbable, if not nearly impossible, to discover what
> statically-linked binaries may be involved with any vulnerability, isn't
> it reasonable to ask if the benefits of statically-linked binaries aren't
> outweighed by the [security] drawbacks?
>
> Granted, a "no static binaries" policy wouldn't cover things outside of
> any given distribution, but at that point, the vendor is absolved.
IMHO making security updates for a completely-dynamically-linked
system would be easier. However, it's not a panacea and there are
reasons one might still want static binaries.
This is not a given:
> Given that it's improbable, if not nearly impossible, to discover
> what statically-linked binaries may be involved with any
> vulnerability,
The way to determine it is to run `make release' without the fix, then
`make release' with the fix, and intelligently compare the results.
It is hard, not `nearly impossible'.
> Should this move on over to freebsd-hackers@ ?
I think it should stop here :-) We don't need another
static-vs-dynamic thread right now (e.g. yet another one finally
finished on freebsd-arch yesterday).
Cheers,
--
Jacques A. Vidrine <nectar at celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
More information about the freebsd-security
mailing list