Subject: re: static linking for NetBSD
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: matthew green <mrg@eterna.com.au>
List: tech-security
Date: 09/16/2003 17:50:14
   
     I'll tell you why I don't like dynamic linking, particularly for critical
   system components: file and system management.
   
     Do you know how many times I've had to rescue RedHat systems when the
   (DUE TO SECURITY VULNERABILITY!) to the shared libraries left the system
   in a state where the PAM (YES!) was broken and nobody could login? Or worse,
   you can even type "ln" because /lib/ld-linux.so.2 is incompatible with
   /lib/glibc-X.Y.Z?
     Linux is rapidly approaching Windows-Style DLL bit-rot.
   
     I find it much easier to do:
          % /sbin/md5sum /sbin/login 
   
     and compare that value to a known to be good (non-trojan'ed) /sbin/login,
   knowing that since it doesn't load anything, it can't be trojan'ed by libc
   or ld screwing. I just find static linked binaries easier to cope with,
   easier to upgrade, and easier to verify.


did you ever wonder why luke went to the trouble of creating /rescue?
netbsd systems are EASIER to recover from critical system failure now
because of /rescue than ever before, regardless of static vs. dynamic
/bin and /sbin.

netbsd != linux.


.mrg.