From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oo1-xc32.google.com (mail-oo1-xc32.google.com [IPv6:2607:f8b0:4864:20::c32]) by sourceware.org (Postfix) with ESMTPS id 35ED63858CDA for ; Wed, 21 Feb 2024 17:29:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 35ED63858CDA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=tramnitz.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tramnitz.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 35ED63858CDA Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::c32 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708536548; cv=none; b=bF4TQNgyU6XCTQnCEwQt/6kLJcKqaM+QWjPVvRGvUo1ui8u15/CD3N4iGQ0/+7c+DqNYjLoFPMn9jogpBy44QvYPGPMC/pHuuzDBAl9ruhtm/Ck9blNSqHebPYBgG+ph26aQu1YJ8i0mEAWQLpvEn9/KER5GdhySvugVy3MQbgo= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708536548; c=relaxed/simple; bh=u1FbE/nfNA2fskr3Eg+Hys4bR5xv7oLDohM+yUjPWUw=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=wHAIYw07K1bMAd+28X4osj3MD/VwnDnMvewktTA8YEQF6XTKo8uy+OfyXaJobGPyb1KNcdjqccOl8++JEbjX1NEu72fMrhPNeSeVfYSftXmMenRteCNZuBl6twnqwrDtQ6q/AfDpbkVOQq/XOwirCeH0sEo1yk+YSgGYmYThP2Q= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oo1-xc32.google.com with SMTP id 006d021491bc7-59a87156cb8so2160449eaf.2 for ; Wed, 21 Feb 2024 09:29:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tramnitz-com.20230601.gappssmtp.com; s=20230601; t=1708536545; x=1709141345; darn=gcc.gnu.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=u1FbE/nfNA2fskr3Eg+Hys4bR5xv7oLDohM+yUjPWUw=; b=rBSDxah23o54Gms5r69gN0adV2eAbariwDf6pEfCZpJ35QEghzao+eILL+cemlo3sw /gqWwCYb/D2FwGnZmt1idIJAs9bfNYL+J99/92vma7EibZxzJaGlX6pcSNCy2RVGifdJ USVKjdXopkaxwUxuVuFcIM2jO0amfdoGolYny+21N3zGC2I+KBelmr/kMHxm1E431Kgg aKmVWVjgpxWt+s0s8rzq/OprCP6GyQxeeYocyJlBVrIjxbwTdoMSiuzMBAkj75DlN9tN /PYoCESI/Du3sgUrh/tJ7UtKbp9IoZ8wRTg/HrCgju+PZYxUJomGLrkPjETVGKX8xGaq UTvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708536545; x=1709141345; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=u1FbE/nfNA2fskr3Eg+Hys4bR5xv7oLDohM+yUjPWUw=; b=fnWK5R+iRt1upq60IIW0hykGWrd2nq5JJ8OO+JfLDjEcHoVZLJasmJCdtrfFWBqyat z+/0eu5FJOb7otd/ha2Ndd+GZR6s6VjsZGjcevAqH4aUAuvsGBzOGdMD2MdTSCiCV612 60Ls7hANOXoVH5blaDpTOVo8swfIk9A/1xROjyeAm42uAdq0KLxqEBUjge9cWAAw6kWW HW4wY70Bzgio8JZO0A9Rcf5Ea0Tl1WEdgfgdKigW9etNqyzGYxenRH0XgZByN+FfJ2dL HPjnZaTgC5akQ5cJ+hC5fHp05tbl10IdVzpH9hnYR1MIczsmXXOkwMBhm4bU8yHmDmmw dxSg== X-Gm-Message-State: AOJu0YycmyeRyMrK8N5ZqZtZYjtYm+aJLfc3kTqEG47Q4ZaJtIXjLh1W L13CIGG9TxDBmwV/nWAsIpI79KDi7Qvzwg+wfhtovrln9RGcRilcAdGevYGHgbqFJ/zCN7R7SJc RgSIxhTwunqLYWlEs9Rlfv+Y9gN+hR7cEZCPwMrFJHjlZGKKDUko= X-Google-Smtp-Source: AGHT+IGvkakFwJXCOjrkM5juz4R+ADetydjmx5gxPKoYqaMEtGDAGKobU2GZcrOSJkFMYu+zffNjMqvsiyEfnR8Rmpw= X-Received: by 2002:a4a:bd87:0:b0:59f:e387:7ed with SMTP id k7-20020a4abd87000000b0059fe38707edmr7513252oop.8.1708536545040; Wed, 21 Feb 2024 09:29:05 -0800 (PST) MIME-Version: 1.0 From: Christian Tramnitz Date: Wed, 21 Feb 2024 18:28:29 +0100 Message-ID: Subject: ld: document static libraries when performing static linking To: gcc@gcc.gnu.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hello, For statically linked binaries one wants to keep track of external libraries that were pulled in at link time. I haven't found any initiatives or standards trying to achieve this yet, so I would like to make a proposal. ld already supports the `--depedency-file=` option to create a depfile, to some degree, documenting dependencies in Makefile format. While it's a good starting point, it's not sufficient. Would it be feasible to create another option, that a) just records dependencies to external, static-libs (within the depfile this could be achieved by looking for path names outside the build dir and having an .a file extension - but this is not neccessarily exhaustive). This doesn't need to be unique, post-processing is expected to take place anyway. b) documents the actual objects (enhanced: down to function level if information exists from compiling with -ffunction-sections and -fdata-sections) that were pulled in from the library archive, similar to the output from `--verbose` "(/usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../lib64/libc.a)stpcpy-avx2.o" c) outputs this in some sort of structured format for later processing, e.g. as simple as ,, my-obj,/usr/lib64/libc.a,stpcpy-avx2.o my-obj,/usr/lib64/libc.a,stpcpy-avx2-rtm.o my-obj,/usr/lib64/libc.a,getsrvbynm.o my-obj,/usr/lib64/libc.a,stpcpy-evex.o d) - if ld doesn't support this already (couldn't find looking through man) - ld had some sort of no-op/pretend option that doesn't actually produce a linked output but only pretends it would? Purpose: The consumer of this information might be a distributor, keeping track of things in the distribution specific packaging database format. Or it could even be embedded into the resulting binary itself. Background: This output can be used to I) validate license compliance (it would make it possible to discover conflicting licenses of derived work) II) allow vulnerability tracking, when vulnerabilities existed in included static libraries (at build/link time) The latter would be further supported by b) as a vulnerability may not even exist in the resulting object if the vulnerable function wasn't included by linking. Best regards, Christian