Xfce's autotools should disable static libs by default when initializing libtool (and upgrade syntax to minimum 2.2.6)
Submitted by Samuli Suominen
Assigned to Nick Schermer
Description
All libtool versions prior to 2.2.6b release are vulnerable to serious issue:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3736
It's not a Xfce problem, but I'm just saying there's no need to care about older version than 2.2.6b anymore. Therefore we can use the new syntax for packages:
Remove any AC_PROG_LIBTOOL (and if there is AC_DISABLE_STATIC, that too) and replace it with this:
LT_PREREQ([2.2.6]) LT_INIT([disable-static])
That's the new libtool syntax starting from 2.2.6:
http://www.gnu.org/software/libtool/manual/html_node/LT_005fINIT.html
If someone really wants static libraries/archives out of Xfce4 packages, he can still override it with --enable-static (propably not useful at all on any *nix systems, but it's still there :)
This is from Thunar's and libxfce4ui's configure.ac. This is correct for old syntax so I suggest updating it too to be consistent.
AC_DISABLE_STATIC() AC_PROG_LIBTOOL()
--enable-static[=PKGS] build static libraries [default=no] --enable-shared[=PKGS] build shared libraries [default=yes]
This is from xfdesktop's configure.ac. This is missing the call to disable static libs by default.
AC_PROG_LIBTOOL
--enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] <- eww!
And these are affected as well:
exo garcon libxfce4util libxfcegui4 xfce4-panel xfce4-session xfce4-settings xfconf xfdesktop
And most of plugins, but because most plugins are not libraries but executables it's not a real issue for them. However, these plugins are exceptions to that rule and build a library too:
thunar-shares-plugin xfce4-datetime-plugin (see bug 6659 I already had filed before) xfce4-notes-plugin xfce4-playercontrol-plugin xfce4-sensors-plugin
Overall this would reduce the compile time of Xfce packages and would save distribution maintainers the need to call --disable-static by hand in Package manager's rules (debian/rules, ebuild, PKGBUILD, etc.). And it also saves HDD space in the end :)
Version: git