Jump to content

  • Log In with Google      Sign In   
  • Create Account

FREE SOFTWARE GIVEAWAY

We have 4 x Pro Licences (valued at $59 each) for 2d modular animation software Spriter to give away in this Thursday's GDNet Direct email newsletter.


Read more in this forum topic or make sure you're signed up (from the right-hand sidebar on the homepage) and read Thursday's newsletter to get in the running!


#ActualSimonForsman

Posted 11 January 2013 - 08:13 PM

<blockquote class="ipsBlockquote" data-author="simast" data-cid="5020520"><p>Comparing a C/C++ run-time to the Java/.NET framework dependency is a bit too much? The game I am working on has around 7 binary lib dependencies.. And they are all statically linked. The EXE has zero dependencies (other than standard Windows DLLs of course). Heck, it does not even need an installer. The only reason why most of the C++ games require MSVCR DLLs installed are because developers are lazy, don't want to build static libraries themselves for their compiler/MT/MD support and just link with the binary DLL packages they can find on the net.</p></blockquote>

Why would you statically link third party libraries ?

If a statically linked library contains a security hole and you don't patch your software immediatly you expose your users to unnecessary risks, if a dynamically linked library contains a security hole the user will get an updated version of the library installed automatically by the OS(Atleast on those with a modern package management system, Windows still only sends out updates for Microsofts software, but the RTE for C++ on Windows is Microsoft software and it does get security fixes, some critical, through Windows Update) as soon as it is available.

Here is an example: http://technet.microsoft.com/en-us/security/bulletin/ms11-025
a bug in the Visual C++ 2008 and 2010 redistributables (MFC part of it) that allowed attackers to execute arbitrary code on machines running software using some of those functions.

Now what is best, that the end user gets the fix through windows update or that he has to find out about the security flaw and then manually install a custom patch for EACH application whos developer used the affected functions but was too lazy to make a proper installer for his software.

Static linking is the lazy route, making sure your application installs properly is the proper way to go.

#3SimonForsman

Posted 11 January 2013 - 08:13 PM

<blockquote class="ipsBlockquote" data-author="simast" data-cid="5020520"><p>Comparing a C/C++ run-time to the Java/.NET framework dependency is a bit too much? The game I am working on has around 7 binary lib dependencies.. And they are all statically linked. The EXE has zero dependencies (other than standard Windows DLLs of course). Heck, it does not even need an installer. The only reason why most of the C++ games require MSVCR DLLs installed are because developers are lazy, don't want to build static libraries themselves for their compiler/MT/MD support and just link with the binary DLL packages they can find on the net.</p></blockquote>

Why would you statically link third party libraries ?

If a statically linked library contains a security hole and you don't patch your software immediatly you expose your users to unnecessary risks, if a dynamically linked library contains a security hole the user will get an updated version of the library installed automatically by the OS(Atleast on those with a modern package management system, Windows still only sends out updates for Microsofts software, but the RTE for C++ on Windows is Microsoft software and it does get security fixes, some critical, through Windows Update) as soon as it is available.

Here is an example: http://technet.microsoft.com/en-us/security/bulletin/ms11-025
a bug in the Visual C++ 2008 and 2010 redistributables (MFC part of it) that allowed attackers to execute arbitrary code on machines running software using some of those functions.

Now what is best, that the end user gets the fix through windows update or that he has to find out about the security flaw and then manually install a custom patch for EACH application whos developer used the affected functions but was too lazy to make a proper installer for his software.

Static linking is the lazy route, making sure your application installs properly is the proper way to go.

#2SimonForsman

Posted 11 January 2013 - 08:10 PM

<blockquote class="ipsBlockquote" data-author="simast" data-cid="5020520"><p>Comparing a C/C++ run-time to the Java/.NET framework dependency is a bit too much? The game I am working on has around 7 binary lib dependencies.. And they are all statically linked. The EXE has zero dependencies (other than standard Windows DLLs of course). Heck, it does not even need an installer. The only reason why most of the C++ games require MSVCR DLLs installed are because developers are lazy, don't want to build static libraries themselves for their compiler/MT/MD support and just link with the binary DLL packages they can find on the net.</p></blockquote>

Why would you statically link third party libraries ?

If a statically linked library contains a security hole and you don't patch your software immediatly you expose your users to unnecessary risks, if a dynamically linked library contains a security hole the user will get an updated version of the library installed automatically by the OS(Atleast on those with a modern package management system, Windows still only sends out updates for Microsofts software, but the RTE for C++ on Windows is Microsoft software) as soon as it is available.

Here is an example: http://technet.microsoft.com/en-us/security/bulletin/ms11-025
a bug in the Visual C++ 2008 and 2010 redistributables (MFC part of it) that allowed attackers to execute arbitrary code on machines running software using some of those functions.

Now what is best, that the end user gets the fix through windows update or that he has to find out about the security flaw and then manually install a custom patch for EACH application whos developer was too lazy to make a proper installer for his software.

Static linking is the lazy route, making sure your application installs properly is the proper way to go.

#1SimonForsman

Posted 11 January 2013 - 08:07 PM

<blockquote class="ipsBlockquote" data-author="simast" data-cid="5020520"><p>Comparing a C/C++ run-time to the Java/.NET framework dependency is a bit too much? The game I am working on has around 7 binary lib dependencies.. And they are all statically linked. The EXE has zero dependencies (other than standard Windows DLLs of course). Heck, it does not even need an installer. The only reason why most of the C++ games require MSVCR DLLs installed are because developers are lazy, don't want to build static libraries themselves for their compiler/MT/MD support and just link with the binary DLL packages they can find on the net.</p></blockquote><br />Why would you statically link third party libraries ?<br /><br />If a statically linked library contains a security hole and you don't patch your software immediatly you expose your users to unnecessary risks, if a dynamically linked library contains a security hole the user will get an updated version of the library installed automatically by the OS(Atleast on those with a modern package management system, Windows still only sends out updates for Microsofts software) as soon as it is available.<br /><br />Here is an example:<br />http://technet.microsoft.com/en-us/security/bulletin/ms11-025<br />a bug in the Visual C++ 2008 and 2010 redistributables (MFC part of it) that allowed attacks to execute arbitrary code on machines running software using some of those functions.<br /><br />Now what is best, that the end user gets the fix through windows update or that he has to find out about the security flaw and then manually install a custom patch for EACH application whos developer thought it was a good idea to link statically to the RTE ?

PARTNERS