|
|
Boost : |
Subject: Re: [boost] [all] Request for out of the box visibility support
From: Olaf van der Spek (ml_at_[hidden])
Date: 2018-08-21 07:04:22
On Tue, Aug 21, 2018 at 8:22 AM, Gavin Lambert via Boost
<boost_at_[hidden]> wrote:
> As an application creator, you have a bit more free rein to choose whether
> to go all-static or all-dynamic (unless you're forced to use a dynamic
> library).
>
> Note that licenses can also force your hand; for example you can only use an
> LGPL library if you dynamically link to it or if you use GPL or LGPL
> yourself.
>
>
> Using dynamic libraries is nice because they're more modular, and at least
> in the case of an actually shared library can reduce system memory usage.
> They can also aid patch deployment if you know you only need to replace a
> subset of files, or for installing optional plugins. And they usually Just
> Workâ„¢.
>
> But they also increase the security attack surface of your application, both
> due to exposing symbol names and addresses of corresponding code, and
> because it's usually trivial to impersonate an external library.
>
> Static libraries also have a possible advantage of compiling everything into
> a single binary, which might make it easier to create a portable application
> or one that otherwise doesn't require installation.
IMO dynamic libs make sense if they're managed by the system, if you
have to distribute / install them yourself chances are they're not
going to be shared anyway.
Full static, or something that's not easily possible today (AFAIK),
building the library files directly as part of your project, ensures
you always link to the same code and in the latter case ensures the
lib is build with exactly the same settings as your project. The
latter is like header-only libs..
Static CRT is mostly (only?) an issue on Windows isn't it? If only MS
/ Windows itself would take care of installing it.
-- Olaf
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk