I honestly don't really care how "unreliable" you think shared libraries are, using entirely static linking is how we get gigantic 500MB monoliths that waste disk space and RAM, don't integrate with the rest of the system properly due to mismatched library versions, and also don't get security patches from the system unless you manually update the binary itself.

Static linking may be "easier", but as programmers, it's our job to use the *right* solution, not just the easiest one.

@keith statically linked executables are rarely ever larger than 15mb??? and the runtime ram usage difference between statically and dynamically linked executables is basically negligible since dynamic linking has runtime overhead from loading the used shared object pages and static linking has runtime overhead from, well, not sharing the used functions

dynamic linking would be great if it worked the way its designed to

@keith i apparently missed a whole software discourse

we're supposed to hate dynamic linking now??

that feels like hating oxygen or something

it's just how things work!

@keith i don’t usually comment, but i feel as a dev i gotta speak up. how do you manage the case when distro maintainers let known bugged library versions through, and then users complain that *your app* breaks?

at work we are very fed up with the way e.g. Arch managed software updates without the least due diligence. it’s why we resort to Snaps, AppInages and static linking, because otherwise we simply get the rug pulled every other week

@crystalmoon @keith I always feel like this carries an unspoken assumption that software devs are all more competent than distro maintainers, which... nope.

I don't trust most developers to keep libraries up to date or fix bugs, especially bugs in dependencies. I barely trust them to not put malicious code in their stuff. Distros sometimes do a bad job (and they shouldn't, ofc), but there is so much trash software out there that does a much worse job.

@eldaking @crystalmoon @keith I package a few projects that have to be statically linked (rust & go). At least half of them reference outdated libraries (I make spot tests sometimes). Rust warns me if a dependency has a known vulnerability (happened 1 time so far), but how many vulnerabilities does the tool know of? I don’t think I have ever seen one of the projects make a new release to fix an issue in a dependency.

Imagine if OpenSSL were statically linked into every project that uses it. :grimacing_eyes_wide_open:

Sign in to participate in the conversation
Anarchism Space

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!