Compiler: Size of generated executable file

[Rainer Deyke]

Leandro Lucarella wrote:
> If you use dynamic linking, the user just need to keep its system updated
> to avoid this kind of issues, and you only need to care about new release
> when the bugs are really from your program, not third-party libraries.

No, that's backwards.

If the user gets the application and library from a central repository
(e.g. apt-get), then it is the responsibility of the repository
maintainer(s) to keep everything up to date.  Getting a patched
executable from the repository is no more or less effort for the user
than getting a patched library from the repository.  Putting a new
executable up is no more or less effort for the repository maintainer(s)
than putting a new library up.

If the user gets the application and library from the application
developer, then it's the responsibility of the application developer to
keep everything patched.  Getting a patched executable is still no more
or less effort for the user than getting a patched library.  Putting a
new executable up is no more or less effort for the application
developer than putting a new library up.

If the user gets the application and library from separate developers,
then keeping the library up to date is the responsibility of the library
developer.  Getting software from multiple sources is /more/ effort for
the user.  Furthermore, library developers are rarely set up to
distribute software to the end user.  Often the library developers don't
even distribute binaries.

In summary, there are no cases where dynamic linking makes security
updates easier for the end user.  There are cases where this separation
makes security updates a lot harder for the end user.


-- 
Rainer Deyke - rainerd at eldwood.com