On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
This morning when Ionut was trying to update gtk3, he noticed that the CUPS print backend would pull in libgcrypt, which is no longer needed, as GnuTLS depends on nettle now instead of libgcrypt. This bug was quickly resolved with a short patch from Fedora.
After fixing CUPS, we found out that CUPS would pull in a lot of other libraries and weird CFLAGS in the cups-config output:
$ cups-config --libs -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
Notice the weird CFLAGS that are copied into the LDFLAGS now. These flags don't come from CUPS, but from krb5:
CFLAGS=test krb5-config --libs $ CFLAGS=test krb5-config --libs test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl
So it turns out krb5-config is plain wrong here. Fedora has a patch for this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildco...
Another quite useful patch would be this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs...
I'm not sure about the whole library fixup things they're doing in the first patch, but most important will be the first section of the part that is applied to krb5-config.in.
OK to apply this? As krb5 is a dependency of quite some packages, this would reduce lots of unneeded libs those packages.
The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc. dave