Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
This morning when Ionut was trying to update gtk3, he noticed that the CUPS print backend would pull in libgcrypt, which is no longer needed, as GnuTLS depends on nettle now instead of libgcrypt. This bug was quickly resolved with a short patch from Fedora.
After fixing CUPS, we found out that CUPS would pull in a lot of other libraries and weird CFLAGS in the cups-config output:
$ cups-config --libs -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
Notice the weird CFLAGS that are copied into the LDFLAGS now. These flags don't come from CUPS, but from krb5:
CFLAGS=test krb5-config --libs $ CFLAGS=test krb5-config --libs test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl
So it turns out krb5-config is plain wrong here. Fedora has a patch for this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-bui ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD
Another quite useful patch would be this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodep libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD
I'm not sure about the whole library fixup things they're doing in the first patch, but most important will be the first section of the part that is applied to krb5-config.in.
OK to apply this? As krb5 is a dependency of quite some packages, this would reduce lots of unneeded libs those packages.
The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc.
dave
It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the other one is just hardening stuff and it is not necessary at this time. I will prepare an update later today. Thanks for reporting this. Stéphane