Faq

advantages of static linking

reducing size and attack surface

When performing (static) linking, we pass the “–as-needed” and “–gc-sections” flags to the linker. Essentially, this results in only symbols being included in the resulting (static) binary that are really needed - not the entire library archive. This (in combination with using “-fdata-sections -ffunction-sections” at compile time of the static libraries) results in only the used functions of the library to be present in the resulting (static) binary. In both cases, the static binary will usually be smaller and contain less functions than the combination of dynamically linked binary plus its dependencies. This results in smaller container images and a significantly smaller attack surface: you can’t exploit a vulnerably function if it ain’t there.

speed

Static binaries are usualy a bit faster than their dynamically linked alternative for (at least?) two reasons:

1. There is no need to resolve dependencies, it’s already there.
2. Due to the way caching works, the dependency is usually in your RAM already when you need it.