[arch-dev-public] Buggy krb5-config script

Dave Reisner d at falconindy.com
Thu Jul 28 08:53:23 EDT 2011

On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> This morning when Ionut was trying to update gtk3, he noticed that the
> CUPS print backend would pull in libgcrypt, which is no longer needed,
> as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> quickly resolved with a short patch from Fedora.
> After fixing CUPS, we found out that CUPS would pull in a lot of other
> libraries and weird CFLAGS in the cups-config output:
> $ cups-config --libs
> -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0
> -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
> Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> flags don't come from CUPS, but from krb5:
> CFLAGS=test krb5-config --libs
> $ CFLAGS=test krb5-config --libs
> test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
> -lkeyutils -lresolv -ldl
> So it turns out krb5-config is plain wrong here. Fedora has a patch for
> this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD
> Another quite useful patch would be this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD
> I'm not sure about the whole library fixup things they're doing in the
> first patch, but most important will be the first section of the part
> that is applied to krb5-config.in.
> OK to apply this? As krb5 is a dependency of quite some packages, this
> would reduce lots of unneeded libs those packages.

The second patch makes sense to me -- if we don't fix this, we'll have
to add all these useless deps to the packaging. The first patch mostly
just looks like standard hardening that Fedora does. I wouldn't be
opposed to this, pending Allan's input since we're looking at a global
rebuild in the near future (pacman4). I know that he's planning to
enable relro and PIE, but not -z,now iirc.


More information about the arch-dev-public mailing list