[kwlug-disc] Zig's guy interview

Chris Frey cdfrey at foursquare.net
Wed Jun 3 19:29:38 EDT 2026


On Wed, Jun 03, 2026 at 03:58:37PM +0000, Mikalai Birukou via kwlug-disc wrote:
> > I'd rather share memory across as many shared libraries as possible,
> > than have multiple slightly different libc's and libz's and libssl's
> > statically linked in unsharable apps.
> 
> And by memory, you mean disk storage. File system cache memory.
> 
> Cause, if it is a memory of running instances/processes, than "shared"
> becomes a concern.

No, I mean RAM.

Suppose 3 programs use the same libfoo.so.  That library is loaded into
RAM once, and all 3 different programs use the same copy.

If those 3 programs are statically linked, then libfoo is loaded into
RAM 3 times, wasting the extra 2 copies.

You are correct that static linkage wastes disk space too, because a
copy of libfoo will be included in 3 separate program files, but
I'm less concerned about that.

In some specific low-level cases, static linking can save space (because
linking against libfoo.a only grabs the .o files that the program really
needs), but dynamic linking provides memory sharing across all of
the library's functionality, instead of saving space through
selective copying only.

In most cases, static == waste.  Sometimes it's worth it, but in my
opinion, most cases it's not.  As a system admin and a programmer,
I want the choice to do both, and dev frameworks that can't do
dynamic are not fully grown yet.


> > It may not be the 80's, but memory size still matters to some.
> > In most cases, I view static linking == waste.
> 
> Was an actual injection step in that xz story using a dynamic linking
> process? Mangled, whatever. But this is an attack point.

I think that's entirely the wrong lesson to learn from the xz story.
The problem was that a BlackHat was given maintainer access to a critical
piece of infrastructure.

If you build code from a repository that a BlackHat was able to commit
his code to, it doesn't matter if you build it dynamically or statically,
you'll still be running his code.

You might be able to shield other pieces of your system by building
them statically (like openssh, or even the kernel to prevent the recent
local priv attacks through dynamic modules) but the real hole is bad
code coming into your system through trusted channels like upstream
repos, distros (Debian/Ubuntu/Redhat) and even Docker Hub, etc.
I doubt static will help much there.

- Chris



More information about the kwlug-disc mailing list