Compiler: Size of generated executable file

KennyTM~ kennytm at gmail.com
Tue Jan 12 22:00:45 PST 2010 

On Jan 13, 10 11:57, Rainer Deyke wrote:
> Leandro Lucarella wrote:
>> If you use dynamic linking, the user just need to keep its system updated
>> to avoid this kind of issues, and you only need to care about new release
>> when the bugs are really from your program, not third-party libraries.
>
> No, that's backwards.
>
> If the user gets the application and library from a central repository
> (e.g. apt-get), then it is the responsibility of the repository
> maintainer(s) to keep everything up to date.  Getting a patched
> executable from the repository is no more or less effort for the user
> than getting a patched library from the repository.  Putting a new
> executable up is no more or less effort for the repository maintainer(s)
> than putting a new library up.
>

Suppose libc got a security flaw. Instead of downloading and updating 1 
library you got to download and update 1,000 executables. So instead of 
distributing (say) 100 KB of binaries the repositories need to send 100 
MB to its users. A huge and unnecessary bandwidth waste for both sides I 
would say.

> If the user gets the application and library from the application
> developer, then it's the responsibility of the application developer to
> keep everything patched.  Getting a patched executable is still no more
> or less effort for the user than getting a patched library.  Putting a
> new executable up is no more or less effort for the application
> developer than putting a new library up.
>

What if the application developer is irresponsible?

> If the user gets the application and library from separate developers,
> then keeping the library up to date is the responsibility of the library
> developer.  Getting software from multiple sources is /more/ effort for
> the user.  Furthermore, library developers are rarely set up to
> distribute software to the end user.  Often the library developers don't
> even distribute binaries.
>
> In summary, there are no cases where dynamic linking makes security
> updates easier for the end user.  There are cases where this separation
> makes security updates a lot harder for the end user.
>
>

More information about the Digitalmars-d mailing list