[arch-dev-public] Buggy krb5-config script
Stéphane Gaudreault
stephane at archlinux.org
Thu Jul 28 11:17:48 EDT 2011
Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
> On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> > This morning when Ionut was trying to update gtk3, he noticed that the
> > CUPS print backend would pull in libgcrypt, which is no longer needed,
> > as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> > quickly resolved with a short patch from Fedora.
> >
> > After fixing CUPS, we found out that CUPS would pull in a lot of other
> > libraries and weird CFLAGS in the cups-config output:
> >
> > $ cups-config --libs
> > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0
> > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
> >
> > Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> > flags don't come from CUPS, but from krb5:
> >
> > CFLAGS=test krb5-config --libs
> > $ CFLAGS=test krb5-config --libs
> > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
> > -lkeyutils -lresolv -ldl
> >
> > So it turns out krb5-config is plain wrong here. Fedora has a patch for
> > this:
> > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-bui
> > ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD
> >
> > Another quite useful patch would be this:
> > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodep
> > libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD
> >
> > I'm not sure about the whole library fixup things they're doing in the
> > first patch, but most important will be the first section of the part
> > that is applied to krb5-config.in.
> >
> > OK to apply this? As krb5 is a dependency of quite some packages, this
> > would reduce lots of unneeded libs those packages.
>
> The second patch makes sense to me -- if we don't fix this, we'll have
> to add all these useless deps to the packaging. The first patch mostly
> just looks like standard hardening that Fedora does. I wouldn't be
> opposed to this, pending Allan's input since we're looking at a global
> rebuild in the near future (pacman4). I know that he's planning to
> enable relro and PIE, but not -z,now iirc.
>
> dave
It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the
other one is just hardening stuff and it is not necessary at this time. I will
prepare an update later today.
Thanks for reporting this.
Stéphane
More information about the arch-dev-public
mailing list