Maintained by: NLnet Labs

[Unbound-users] Unbound release 1.4.12

Gábor Lénárt
Mon Jul 18 17:19:35 CEST 2011


Hi,

On Mon, Jul 18, 2011 at 10:11:43AM -0400, Paul Wouters wrote:
> On Mon, 18 Jul 2011, lst_hoe02 at kwsoft.de wrote:
> 
> >May i ask if it is really needed to exclude ldns from tarball? It
> >was really handy to not download yet-another-tarball have a look
> >at the checksums and move it to the right destination, than do
> >configure/make for the libs and start over with unbound again. How
> >many people actually need it to be excluded?
> 
> see many discussions here in the last. The debian and fedora maintainers
> both asks for it to be decoupled, as the tar ball copy inside unbound is
> confusing and can sometimes accidentally get linked by unbound if the
> ldns dev/devel package is not installed. Staticly linked libraries on
> systems are not good. If you think you have ldns 1.6.10 but unbound had
> been statically linked to 1.6.9, you might have a security issue.....
> 
> Also, not every unbound requires a new ldns.
> 
> And of course, people use ldns and ldns-python without unbound.

I can be wrong here, but as far as I know unbound only used the "built-in"
ldns only if the specific configure option was used and it was not the
default (if I am wrong, it can be done to a non-default option, so it would
be used _only_ if someone is sure that they requested it at the time of
running ./configure). So I can't see why it can cause problems that unbound
provides the usage of built-in ldns and only if it is requested by the
person who compiles it. Debian/fedora maintainers should only not use the
--with-ldns-builtin switch of ./configure, it's simply that. Or did I miss
something here? Now, I have to compile ldns too, because the LTS version of
Ubuntu Server does not have the "recent enough" libldns package. So for me
(and maybe for many people) this is just a disadvantage. Not everybody uses
"bleeding edge" distributions, I prefer more stable ones, that's why I am
using LTS versions of Ubuntu, for example. I think it's a must in a
sensitive environment, where stability is important (still, I may use
newer softwares, but I prefer to have as many packages/softwares from a
"stable" OS repository - like LTS/Ubuntu - as possible, and only compile a
single software by hand, which is the "heart" of the service the server
is created for. So I have a solid architecture I can build on).

Anyway, it's not my decision, and for sure I have no intent to start a flame
about this topic. If it's decided to be this way, it will be, period.

However, I am still having problems to get the "old behaviour". How can I
compile unbound to link against libldns statically? I couldn't figure out
without ugly hacks (see my previous mail), it seems even
"--enable-static-exe" does not work (and also it sounds a bit "dangerous"
when help of the configure script talks about "for debug purposes"), ldns
is still linked dynamically, at least output of ldd on unbound binary
shows libldns too.