[Secure-testing-team] Static linking LLVM

Seo Sanghyeon tinuviel at sparcs.kaist.ac.kr
Mon Aug 29 04:06:36 UTC 2011


Recently Mesa DRI started to use LLVM. (I noticed this because of
sudden increase in package size.) According to the changelog of
Debian source package mesa:

"Build r300 classic (through DRI_DRIVERS) everywhere, since r300g comes
with a few additional requirements: LLVM is needed for this driver,
and apparently only works fine on x86 platform. As a consequence, only
build r300g on amd and i386, and add llvm-2.9-dev build-dep on those
platforms accordingly. Disable it explicitly on other platforms."

>From what I can tell, r300_dri.so and r600_dri.so under
/usr/lib/i386-linux-gnu/dri in libgl1-mesa-dri package statically link
LLVM 2.9. Since LLVM is a complex software and it is not inconceivable
that security issues will be found, I think this should be noted in
embedded-code-copies file.

CC'ing Debian X Strike Force who may have some ideas.

Seo Sanghyeon



More information about the Secure-testing-team mailing list