2009/8/13 Juan Lang juan.lang@gmail.com:
The reason you'd want to use dynamic linking is to ease security fix updates. If a flaw is found in libmpg123 that allows remote code execution (for example), any package that has its own version, or that statically links it into the program, needs updating, rebuilding and repackaging.
Again, at what cost? We have a patch proposed that fixes a real flaw (mp3 sounds bad in Wine.) You all are asking Aric to do more do address flaws that are inconsequential, in my opinion (it takes more disk space than it needs to) or only theoretical (the new code might contain as yet unknown vulnerabilities.)
As always, patches talk louder than emails.
I was not suggesting that libmpg123 should be made dynamic.
You asked what the rationale was - citing disk space as the only reason. I was saying that disk space is not the only valid reason for wanting to do this.
But there is a reason for using our own version -- the HeapAlloc/Free and Wine tracing changes that Aric mentioned in the initial email. So for that reason, it won't be practical to dynamically link.
At the end of the day, it all boils down to this: what is the simplest strategy for maintaining the code and updating it in the future.
- Reece