Buggy krb5-config script
This morning when Ionut was trying to update gtk3, he noticed that the
CUPS print backend would pull in libgcrypt, which is no longer needed, as GnuTLS depends on nettle now instead of libgcrypt. This bug was quickly resolved with a short patch from Fedora. After fixing CUPS, we found out that CUPS would pull in a lot of other libraries and weird CFLAGS in the cups-config output: $ cups-config --libs -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt Notice the weird CFLAGS that are copied into the LDFLAGS now. These flags don't come from CUPS, but from krb5: CFLAGS=test krb5-config --libs $ CFLAGS=test krb5-config --libs test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl So it turns out krb5-config is plain wrong here. Fedora has a patch for this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD Another quite useful patch would be this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD I'm not sure about the whole library fixup things they're doing in the first patch, but most important will be the first section of the part that is applied to krb5-config.in. OK to apply this? As krb5 is a dependency of quite some packages, this would reduce lots of unneeded libs those packages. |
Buggy krb5-config script
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> This morning when Ionut was trying to update gtk3, he noticed that the > CUPS print backend would pull in libgcrypt, which is no longer needed, > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > quickly resolved with a short patch from Fedora. > > After fixing CUPS, we found out that CUPS would pull in a lot of other > libraries and weird CFLAGS in the cups-config output: > > $ cups-config --libs > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > flags don't come from CUPS, but from krb5: > > CFLAGS=test krb5-config --libs > $ CFLAGS=test krb5-config --libs > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err > -lkeyutils -lresolv -ldl > > So it turns out krb5-config is plain wrong here. Fedora has a patch for > this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD > > Another quite useful patch would be this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD > > I'm not sure about the whole library fixup things they're doing in the > first patch, but most important will be the first section of the part > that is applied to krb5-config.in. > > OK to apply this? As krb5 is a dependency of quite some packages, this > would reduce lots of unneeded libs those packages. > > The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc. dave |
Buggy krb5-config script
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> This morning when Ionut was trying to update gtk3, he noticed that the > CUPS print backend would pull in libgcrypt, which is no longer needed, > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > quickly resolved with a short patch from Fedora. > > After fixing CUPS, we found out that CUPS would pull in a lot of other > libraries and weird CFLAGS in the cups-config output: > > $ cups-config --libs > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > flags don't come from CUPS, but from krb5: > > CFLAGS=test krb5-config --libs > $ CFLAGS=test krb5-config --libs > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err > -lkeyutils -lresolv -ldl > > So it turns out krb5-config is plain wrong here. Fedora has a patch for > this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD > > Another quite useful patch would be this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD > > I'm not sure about the whole library fixup things they're doing in the > first patch, but most important will be the first section of the part > that is applied to krb5-config.in. > > OK to apply this? As krb5 is a dependency of quite some packages, this > would reduce lots of unneeded libs those packages. > > The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc. dave |
Buggy krb5-config script
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> This morning when Ionut was trying to update gtk3, he noticed that the > CUPS print backend would pull in libgcrypt, which is no longer needed, > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > quickly resolved with a short patch from Fedora. > > After fixing CUPS, we found out that CUPS would pull in a lot of other > libraries and weird CFLAGS in the cups-config output: > > $ cups-config --libs > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > flags don't come from CUPS, but from krb5: > > CFLAGS=test krb5-config --libs > $ CFLAGS=test krb5-config --libs > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err > -lkeyutils -lresolv -ldl > > So it turns out krb5-config is plain wrong here. Fedora has a patch for > this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD > > Another quite useful patch would be this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD > > I'm not sure about the whole library fixup things they're doing in the > first patch, but most important will be the first section of the part > that is applied to krb5-config.in. > > OK to apply this? As krb5 is a dependency of quite some packages, this > would reduce lots of unneeded libs those packages. > > The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc. dave |
Buggy krb5-config script
Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
> On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote: > > This morning when Ionut was trying to update gtk3, he noticed that the > > CUPS print backend would pull in libgcrypt, which is no longer needed, > > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > > quickly resolved with a short patch from Fedora. > > > > After fixing CUPS, we found out that CUPS would pull in a lot of other > > libraries and weird CFLAGS in the cups-config output: > > > > $ cups-config --libs > > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 > > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > > flags don't come from CUPS, but from krb5: > > > > CFLAGS=test krb5-config --libs > > $ CFLAGS=test krb5-config --libs > > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err > > -lkeyutils -lresolv -ldl > > > > So it turns out krb5-config is plain wrong here. Fedora has a patch for > > this: > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-bui > > ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd 339a3;hb=HEAD > > > > Another quite useful patch would be this: > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodep > > libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c14 94e;hb=HEAD > > > > I'm not sure about the whole library fixup things they're doing in the > > first patch, but most important will be the first section of the part > > that is applied to krb5-config.in. > > > > OK to apply this? As krb5 is a dependency of quite some packages, this > > would reduce lots of unneeded libs those packages. > > The second patch makes sense to me -- if we don't fix this, we'll have > to add all these useless deps to the packaging. The first patch mostly > just looks like standard hardening that Fedora does. I wouldn't be > opposed to this, pending Allan's input since we're looking at a global > rebuild in the near future (pacman4). I know that he's planning to > enable relro and PIE, but not -z,now iirc. > > dave It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the other one is just hardening stuff and it is not necessary at this time. I will prepare an update later today. Thanks for reporting this. Stéphane |
Buggy krb5-config script
Le 28 juillet 2011 11:17:48 Stéphane Gaudreault a écrit :
> Le 28 juillet 2011 08:53:23 Dave Reisner a écrit : > > On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote: > > > This morning when Ionut was trying to update gtk3, he noticed that > > > the > > > CUPS print backend would pull in libgcrypt, which is no longer > > > needed, > > > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > > > quickly resolved with a short patch from Fedora. > > > > > > After fixing CUPS, we found out that CUPS would pull in a lot of > > > other > > > libraries and weird CFLAGS in the cups-config output: > > > > > > $ cups-config --libs > > > -lcups -march=x86-64 -mtune=generic -O2 -pipe > > > -I/usr/include/dbus-1.0 > > > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > > > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > > > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > > > > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > > > flags don't come from CUPS, but from krb5: > > > > > > CFLAGS=test krb5-config --libs > > > $ CFLAGS=test krb5-config --libs > > > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto > > > -lcom_err > > > -lkeyutils -lresolv -ldl > > > > > > So it turns out krb5-config is plain wrong here. Fedora has a patch > > > for > > > this: > > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1 > > > -bui ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd 339a3;hb=HEAD > > > > > > Another quite useful patch would be this: > > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-n > > > odep libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c14 94e;hb=HEAD > > > > > > I'm not sure about the whole library fixup things they're doing in > > > the > > > first patch, but most important will be the first section of the > > > part > > > that is applied to krb5-config.in. > > > > > > OK to apply this? As krb5 is a dependency of quite some packages, > > > this > > > would reduce lots of unneeded libs those packages. > > > > The second patch makes sense to me -- if we don't fix this, we'll have > > to add all these useless deps to the packaging. The first patch mostly > > just looks like standard hardening that Fedora does. I wouldn't be > > opposed to this, pending Allan's input since we're looking at a global > > rebuild in the near future (pacman4). I know that he's planning to > > enable relro and PIE, but not -z,now iirc. > > > > dave > > It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned > the other one is just hardening stuff and it is not necessary at this time. > I will prepare an update later today. > > Thanks for reporting this. > > Stéphane Patched krb5 gives # krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err instead of # krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl If it is what we want, then I will upload the pkg into testing. Stéphane |
Buggy krb5-config script
On Thu, 2011-07-28 at 12:06 -0400, Stéphane Gaudreault wrote:
> > > It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned > > the other one is just hardening stuff and it is not necessary at this time. > > I will prepare an update later today. > > > > Thanks for reporting this. > > > > Stéphane > > Patched krb5 gives > > # krb5-config --libs > -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err > > instead of > > # krb5-config --libs > -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl > > If it is what we want, then I will upload the pkg into testing. That's better already, but what about this: $ CFLAGS=test krb5-config --libs I guess that will prepend "test" in front of your output. The first patch fixes two things: hardening the libraries and fixing the CFLAGS issues. The CFLAGS issue is fixed on line 36-37 of the patch, so if you don't want the hardening, you should apply that part of the patch. |
| All times are GMT. The time now is 08:27 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.