[arch-dev-public] Buggy krb5-config script
This morning when Ionut was trying to update gtk3, he noticed that the CUPS print backend would pull in libgcrypt, which is no longer needed, as GnuTLS depends on nettle now instead of libgcrypt. This bug was quickly resolved with a short patch from Fedora. After fixing CUPS, we found out that CUPS would pull in a lot of other libraries and weird CFLAGS in the cups-config output: $ cups-config --libs -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt Notice the weird CFLAGS that are copied into the LDFLAGS now. These flags don't come from CUPS, but from krb5: CFLAGS=test krb5-config --libs $ CFLAGS=test krb5-config --libs test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl So it turns out krb5-config is plain wrong here. Fedora has a patch for this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildco... Another quite useful patch would be this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs... I'm not sure about the whole library fixup things they're doing in the first patch, but most important will be the first section of the part that is applied to krb5-config.in. OK to apply this? As krb5 is a dependency of quite some packages, this would reduce lots of unneeded libs those packages.
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
This morning when Ionut was trying to update gtk3, he noticed that the CUPS print backend would pull in libgcrypt, which is no longer needed, as GnuTLS depends on nettle now instead of libgcrypt. This bug was quickly resolved with a short patch from Fedora.
After fixing CUPS, we found out that CUPS would pull in a lot of other libraries and weird CFLAGS in the cups-config output:
$ cups-config --libs -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
Notice the weird CFLAGS that are copied into the LDFLAGS now. These flags don't come from CUPS, but from krb5:
CFLAGS=test krb5-config --libs $ CFLAGS=test krb5-config --libs test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl
So it turns out krb5-config is plain wrong here. Fedora has a patch for this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildco...
Another quite useful patch would be this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs...
I'm not sure about the whole library fixup things they're doing in the first patch, but most important will be the first section of the part that is applied to krb5-config.in.
OK to apply this? As krb5 is a dependency of quite some packages, this would reduce lots of unneeded libs those packages.
The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc. dave
Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
This morning when Ionut was trying to update gtk3, he noticed that the CUPS print backend would pull in libgcrypt, which is no longer needed, as GnuTLS depends on nettle now instead of libgcrypt. This bug was quickly resolved with a short patch from Fedora.
After fixing CUPS, we found out that CUPS would pull in a lot of other libraries and weird CFLAGS in the cups-config output:
$ cups-config --libs -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
Notice the weird CFLAGS that are copied into the LDFLAGS now. These flags don't come from CUPS, but from krb5:
CFLAGS=test krb5-config --libs $ CFLAGS=test krb5-config --libs test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl
So it turns out krb5-config is plain wrong here. Fedora has a patch for this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-bui ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD
Another quite useful patch would be this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodep libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD
I'm not sure about the whole library fixup things they're doing in the first patch, but most important will be the first section of the part that is applied to krb5-config.in.
OK to apply this? As krb5 is a dependency of quite some packages, this would reduce lots of unneeded libs those packages.
The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc.
dave
It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the other one is just hardening stuff and it is not necessary at this time. I will prepare an update later today. Thanks for reporting this. Stéphane
Le 28 juillet 2011 11:17:48 Stéphane Gaudreault a écrit :
Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
This morning when Ionut was trying to update gtk3, he noticed that the CUPS print backend would pull in libgcrypt, which is no longer needed, as GnuTLS depends on nettle now instead of libgcrypt. This bug was quickly resolved with a short patch from Fedora.
After fixing CUPS, we found out that CUPS would pull in a lot of other libraries and weird CFLAGS in the cups-config output:
$ cups-config --libs -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
Notice the weird CFLAGS that are copied into the LDFLAGS now. These flags don't come from CUPS, but from krb5:
CFLAGS=test krb5-config --libs $ CFLAGS=test krb5-config --libs test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl
So it turns out krb5-config is plain wrong here. Fedora has a patch for this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1 -bui ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD
Another quite useful patch would be this: http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-n odep libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD
I'm not sure about the whole library fixup things they're doing in the first patch, but most important will be the first section of the part that is applied to krb5-config.in.
OK to apply this? As krb5 is a dependency of quite some packages, this would reduce lots of unneeded libs those packages.
The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc.
dave
It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the other one is just hardening stuff and it is not necessary at this time. I will prepare an update later today.
Thanks for reporting this.
Stéphane
Patched krb5 gives # krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err instead of # krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl If it is what we want, then I will upload the pkg into testing. Stéphane
On Thu, 2011-07-28 at 12:06 -0400, Stéphane Gaudreault wrote:
It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the other one is just hardening stuff and it is not necessary at this time. I will prepare an update later today.
Thanks for reporting this.
Stéphane
Patched krb5 gives
# krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
instead of
# krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl
If it is what we want, then I will upload the pkg into testing.
That's better already, but what about this: $ CFLAGS=test krb5-config --libs I guess that will prepend "test" in front of your output. The first patch fixes two things: hardening the libraries and fixing the CFLAGS issues. The CFLAGS issue is fixed on line 36-37 of the patch, so if you don't want the hardening, you should apply that part of the patch.
participants (3)
-
Dave Reisner
-
Jan de Groot
-
Stéphane Gaudreault