From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] nettle: Update to 3.6
Date: Mon, 04 May 2020 15:32:59 +0100
Message-ID: <112CD7FD-306C-4D86-9C7B-1809A11B0D63@ipfire.org>
In-Reply-To: <98cee97f-062e-3942-2f06-5ac8cec2f173@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6520844419054219582=="
List-Id: <development.lists.ipfire.org>

--===============6520844419054219582==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Yes, I think that it would be a good idea to add a script to tools/ that take=
s a library name and returns a list of all files (with potentially even the p=
ackage name) so that we can quickly find out what linked against it.

I would recommend the following:

1) Have a function that takes a binary name and returns whether it matches or=
 not.

2) Have a second function that finds all binary files and calls the function =
from 1).

You can then either collect the file list and scan the root files later to fi=
nd what package that file is in and simply list the package names in the end.=
 But I guess that is probably already a stretch goal and a first version of t=
he script does not need it.

I would recommend using readelf instead of ldd, because ldd runs the runtime =
linker and lists all libraries that were pulled in. That means that if you ha=
ve a command /bin/command which links again liba.so and liba.so links against=
 libb.so, then ldd lists both libraries. We might ship more files then than w=
e need to.

You can run this instead:

root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]

These are all libraries that /bin/bash needs directly on my system, and that =
is what we want to know.

readelf is in the binutils package.

We could later add a command to make.sh that mounts the chroot environment an=
d then runs the script inside it.

For performance I would recommend using find to search for binary files. You =
will probably have to scan everything, but should only consider files that ar=
e executable. We should not have any binaries that are not executable. The sc=
ript might indeed run for a little moment, but readelf should already be much=
 quicker than ldd, because it will only parse one file and not all linked lib=
raries as well.

Please feel free to ask questions :)

> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> w=
rote:
>=20
> Hi,
>=20
> On 01.05.2020 15:17, Michael Tremer wrote:
>> Hi,
>>=20
>> Do we know if anything else but gnutls links against this?
>=20
> Me: no =3D> Please don't merge this patch.
>=20
>> The library so version has been bumped, and we might need a compat-version=
 if we can. Or potentially symlinks.
>=20
> You're right. IIRC, I read about a similiar problem a while ago. And it
> sucks...
>=20
> What I'm not sure about:
> Would testing all binaries one by one with 'ldd' be sufficient enough?
>=20
> ToDo:
> I thought about it. I'll try to write a script that loops through (all)
> binaries and throws a message if an appropriate - missing - library (in
> this case: libhogweed or libnettle) was found.
>=20
> I'm thinking about something with a "for-while-do-loop", using 'ldd
> [PROGRAM_NAME]', filtering the output.
>=20
> And just in case: has anyone here ever programmed anything like this
> already?

I wrote such a script when we migrated OpenSSL, but I do not have it any more=
 :)

I should have kept it.

-Michael

>=20
> I don't want to "reinvent the wheel" unnecessarily... ;-)
>=20
> Opinions?
>=20
> Best,
> Matthias
>=20

-Michael

>> -Michael
>>=20
>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org>=
 wrote:
>>>=20
>>> For details see:
>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>=20
>>> This update also requires updating gnutls to '3.6.13'.
>>>=20
>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> ---
>>> config/rootfiles/common/nettle | 11 +++++++----
>>> lfs/nettle                     |  6 +++---
>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>=20
>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/net=
tle
>>> index 58e3f57a0..20a269a8b 100644
>>> --- a/config/rootfiles/common/nettle
>>> +++ b/config/rootfiles/common/nettle
>>> @@ -23,6 +23,7 @@
>>> #usr/include/nettle/cmac.h
>>> #usr/include/nettle/ctr.h
>>> #usr/include/nettle/curve25519.h
>>> +#usr/include/nettle/curve448.h
>>> #usr/include/nettle/des.h
>>> #usr/include/nettle/dsa-compat.h
>>> #usr/include/nettle/dsa.h
>>> @@ -32,6 +33,7 @@
>>> #usr/include/nettle/ecdsa.h
>>> #usr/include/nettle/eddsa.h
>>> #usr/include/nettle/gcm.h
>>> +#usr/include/nettle/gostdsa.h
>>> #usr/include/nettle/gosthash94.h
>>> #usr/include/nettle/hkdf.h
>>> #usr/include/nettle/hmac.h
>>> @@ -61,16 +63,17 @@
>>> #usr/include/nettle/sha1.h
>>> #usr/include/nettle/sha2.h
>>> #usr/include/nettle/sha3.h
>>> +#usr/include/nettle/siv-cmac.h
>>> #usr/include/nettle/twofish.h
>>> #usr/include/nettle/umac.h
>>> #usr/include/nettle/version.h
>>> #usr/include/nettle/xts.h
>>> #usr/include/nettle/yarrow.h
>>> usr/lib/libhogweed.so
>>> -usr/lib/libhogweed.so.5
>>> -usr/lib/libhogweed.so.5.0
>>> +usr/lib/libhogweed.so.6
>>> +usr/lib/libhogweed.so.6.0
>>> #usr/lib/libnettle.so
>>> -usr/lib/libnettle.so.7
>>> -usr/lib/libnettle.so.7.0
>>> +usr/lib/libnettle.so.8
>>> +usr/lib/libnettle.so.8.0
>>> #usr/lib/pkgconfig/hogweed.pc
>>> #usr/lib/pkgconfig/nettle.pc
>>> diff --git a/lfs/nettle b/lfs/nettle
>>> index cc34b1fad..de7428121 100644
>>> --- a/lfs/nettle
>>> +++ b/lfs/nettle
>>> @@ -1,7 +1,7 @@
>>> #########################################################################=
######
>>> #                                                                        =
     #
>>> # IPFire.org - A linux based firewall                                    =
     #
>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>             =
        #
>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>             =
        #
>>> #                                                                        =
     #
>>> # This program is free software: you can redistribute it and/or modify   =
     #
>>> # it under the terms of the GNU General Public License as published by   =
     #
>>> @@ -24,7 +24,7 @@
>>>=20
>>> include Config
>>>=20
>>> -VER        =3D 3.5.1
>>> +VER        =3D 3.6
>>>=20
>>> THISAPP    =3D nettle-$(VER)
>>> DL_FILE    =3D $(THISAPP).tar.gz
>>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>>>=20
>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>=20
>>> -$(DL_FILE)_MD5 =3D 0e5707b418c3826768d41130fbe4ee86
>>> +$(DL_FILE)_MD5 =3D c45ee24ed7361dcda152a035d396fe8a
>>>=20
>>> install : $(TARGET)
>>>=20
>>> --=20
>>> 2.17.1
>>>=20
>>=20
>=20


--===============6520844419054219582==--