Re: [Qemu-devel] [RFC] configure script mistakenly detects static libraries

["Daniel P. Berrangé" <berrange@redhat.com>]

On Mon, Apr 23, 2018 at 05:16:02PM +0100, Peter Maydell wrote:
> On 23 April 2018 at 17:10, Murilo Opsfelder Araujo
> <muriloo@linux.ibm.com> wrote:
> > Hi, everyone!
> >
> > I'm facing an issue on how configure script detects static libraries and
> > would like to hear from community to find a common ground on how to
> > possibly fix it.
> >
> > Throughout configure, we use pkg-config command to verify if a library
> > is installed so qemu can be linked to it. This works fine when linking
> > qemu dynamically. However, configuring qemu with --static can mistakenly
> > detect a library that is actually not present on the system.
> >
> > For example, on Ubuntu Xenial, libcacard-dev package provides only
> > libcacard.so (not libcacard.a) and pkg-config reports success in both
> > cases:
> >
> >     $ pkg-config libcacard
> >     $ echo $?
> >     0
> >
> >     $ pkg-config --static libcacard
> >     $ echo $?
> >     0
> >
> > Since we use `pkg-config libcacard` to set smartcard=yes, this
> > mistakenly enables smartcard feature. This is acceptable with dynamic
> > linkage, but can be an issue with static linkage, where libcacard.a
> > doesn't exist on the system, resulting on a build error:
> 
> This seems to me to be an error in your distro's pkg-config information.
> If static linking against libcacard doesn't work, then
> "pkg-config --static libcacard" should fail.

IIUC, --static isn't actually proving that a static version of a library
exists. Rather it just changes the logic for figuring out the dependancy
graph & compiler/linker flags. So --static will always work fine even if
only the .so is present, and no .a file exists.

Similarly pkg-config without --static doesn't actually guarantee that a
shared .so exists either - just tells you the flags you would need if
it did exist.

This works fine if you always build & ship static & shared versions of
every library, but distros often ditch static builds of all but a
handful of libraries, because of the ripple effect static linking
has when security updates are issued.

> Unfortunately IME the static linking support in distro-suppled
> pkgconfig files is rarely tested, so it's not uncommon for it to
> be broken.
> 
> From an upstream QEMU point of view, we primarily support --static
> for the benefit of the linux-user binaries, not for system emulation.
> So we care more if a "configure --disable-system --disable-tools --static"
> build doesn't work, than if the problem is only with features used
> by the system emulator binaries.

That reduces the 3rd party deps to essentially just your C library and
glib2, which makes it more tractable from a security update POV. I would
certainly not wish to see static linking of a system emulator which pulls
in 150+ 3rd party libraries on my system !

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|