Strictly speaking, the requirement is that they be able to upgrade/modify the library. Static linking coupled with shipping only an executable is a violation. I believe that shipping source (or even un-linked object files?), such that users can rebuild the application with a statically linked updated version is allowed - no requirement that they be permitted to modify or redistribute the application proper.