From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] nettle: Update to 3.6
Date: Thu, 14 May 2020 11:43:05 +0100
Message-ID: <1D56C174-9A43-4686-BC1E-744ECA0153E6@ipfire.org>
In-Reply-To: <414ecb8f-1985-4228-018a-4430dd570a80@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7404644469512893600=="
List-Id: <development.lists.ipfire.org>

--===============7404644469512893600==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Oh. This is indeed a very long list of files.

Since we are already shipping quite a bit of them, I would urge Arne to merge=
 this into c145.

Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid).

I have no idea why cachemgr.cgi matches though.

Best,
-Michael

> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer(a)ipfire.org> =
wrote:
>=20
> Hi,
>=20
> On 13.05.2020 12:55, Michael Tremer wrote:
>> Hi,
>>=20
>> I found my script!
>=20
> YES! ;-)
>=20
>> I have committed it to the repository and sent a patch. Please have a look.
>=20
> Looked. Seems to work.
>=20
> And it would have taken me much longer to write such a script. Great
> you've found it.
>=20
>> I have also added a simple shortcut for make.sh.
>>=20
>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which =
binary links to this library.
>>=20
>> You can also pass multiple libraries at once.
>=20
> I took a ride on a Core144 build with:
>=20
> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7
>=20
> I wanted to know which libraries would be affected by the nettle 3.6 update.
>=20
> Result (I cut '/git/ipfire.../build/'):
>=20
> /usr/bin/virt-admin
> /usr/bin/ivshmem-server
> /usr/bin/bsdtar
> /usr/bin/nettle-lfib-stream
> /usr/bin/qemu-i386
> /usr/bin/qemu-edid
> /usr/bin/squidclient
> /usr/bin/qemu-system-arm
> /usr/bin/qemu-arm
> /usr/bin/virt-host-validate
> /usr/bin/danetool
> /usr/bin/certtool
> /usr/bin/bsdcat
> /usr/bin/qemu-pr-helper
> /usr/bin/bsdcpio
> /usr/bin/qemu-system-x86_64
> /usr/bin/qemu-img
> /usr/bin/ping
> /usr/bin/ivshmem-client
> /usr/bin/nettle-pbkdf2
> /usr/bin/pkcs1-conv
> /usr/bin/sexp-conv
> /usr/bin/qemu-io
> /usr/bin/dnsdist
> /usr/bin/qemu-x86_64
> /usr/bin/kdig
> /usr/bin/qemu-nbd
> /usr/bin/elf2dmp
> /usr/bin/qemu-system-i386
> /usr/bin/nettle-hash
> /usr/bin/virsh
> /usr/libexec/qemu-bridge-helper
> /usr/libexec/libvirt_iohelper
> /usr/sbin/libvirtd
> /usr/sbin/virtlockd
> /usr/sbin/virtlogd
> /usr/sbin/cups-genppd.5.2
> /usr/sbin/squid
> /usr/lib/libvirt.so.0.5006.0
> /usr/lib/libvirt-admin.so.0.5006.0
> /usr/lib/libhogweed.so.5.0
> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so
> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so
> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so
> /usr/lib/libvirt/lock-driver/lockd.so
> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so
> /usr/lib/libvirt-qemu.so.0.5006.0
> /usr/lib/cups/filter/commandtocanon
> /usr/lib/cups/filter/rastertogutenprint.5.2
> /usr/lib/cups/filter/commandtoepson
> /usr/lib/cups/driver/gutenprint.5.2
> /usr/lib/squid/negotiate_wrapper_auth
> /usr/lib/squid/digest_ldap_auth
> /usr/lib/squid/ntlm_fake_auth
> /usr/lib/squid/basic_radius_auth
> /usr/lib/squid/digest_file_auth
> /usr/lib/squid/basic_ncsa_auth
> /usr/lib/squid/cachemgr.cgi
> /usr/lib/squid/digest_edirectory_auth
> /usr/lib/libgnutls.so.30.23.2
> /usr/lib/libvirt-lxc.so.0.5006.0
> /usr/lib/libarchive.so.13.4.0
> /srv/web/ipfire/cgi-bin/cachemgr.cgi
>=20
> Looks like we would need a compat version?
>=20
> Best,
> Matthias
>=20
>> Best,
>> -Michael
>>=20
>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wro=
te:
>>>=20
>>> Hi,
>>>=20
>>> Yes, I think that it would be a good idea to add a script to tools/ that =
takes a library name and returns a list of all files (with potentially even t=
he package name) so that we can quickly find out what linked against it.
>>>=20
>>> I would recommend the following:
>>>=20
>>> 1) Have a function that takes a binary name and returns whether it matche=
s or not.
>>>=20
>>> 2) Have a second function that finds all binary files and calls the funct=
ion from 1).
>>>=20
>>> You can then either collect the file list and scan the root files later t=
o find what package that file is in and simply list the package names in the =
end. But I guess that is probably already a stretch goal and a first version =
of the script does not need it.
>>>=20
>>> I would recommend using readelf instead of ldd, because ldd runs the runt=
ime linker and lists all libraries that were pulled in. That means that if yo=
u have a command /bin/command which links again liba.so and liba.so links aga=
inst libb.so, then ldd lists both libraries. We might ship more files then th=
an we need to.
>>>=20
>>> You can run this instead:
>>>=20
>>> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEED=
ED
>>> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
>>> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
>>> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>>>=20
>>> These are all libraries that /bin/bash needs directly on my system, and t=
hat is what we want to know.
>>>=20
>>> readelf is in the binutils package.
>>>=20
>>> We could later add a command to make.sh that mounts the chroot environmen=
t and then runs the script inside it.
>>>=20
>>> For performance I would recommend using find to search for binary files. =
You will probably have to scan everything, but should only consider files tha=
t are executable. We should not have any binaries that are not executable. Th=
e script might indeed run for a little moment, but readelf should already be =
much quicker than ldd, because it will only parse one file and not all linked=
 libraries as well.
>>>=20
>>> Please feel free to ask questions :)
>>>=20
>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org=
> wrote:
>>>>=20
>>>> Hi,
>>>>=20
>>>> On 01.05.2020 15:17, Michael Tremer wrote:
>>>>> Hi,
>>>>>=20
>>>>> Do we know if anything else but gnutls links against this?
>>>>=20
>>>> Me: no =3D> Please don't merge this patch.
>>>>=20
>>>>> The library so version has been bumped, and we might need a compat-vers=
ion if we can. Or potentially symlinks.
>>>>=20
>>>> You're right. IIRC, I read about a similiar problem a while ago. And it
>>>> sucks...
>>>>=20
>>>> What I'm not sure about:
>>>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>>>=20
>>>> ToDo:
>>>> I thought about it. I'll try to write a script that loops through (all)
>>>> binaries and throws a message if an appropriate - missing - library (in
>>>> this case: libhogweed or libnettle) was found.
>>>>=20
>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>>>> [PROGRAM_NAME]', filtering the output.
>>>>=20
>>>> And just in case: has anyone here ever programmed anything like this
>>>> already?
>>>=20
>>> I wrote such a script when we migrated OpenSSL, but I do not have it any =
more :)
>>>=20
>>> I should have kept it.
>>>=20
>>> -Michael
>>>=20
>>>>=20
>>>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>>>=20
>>>> Opinions?
>>>>=20
>>>> Best,
>>>> Matthias
>>>>=20
>>>=20
>>> -Michael
>>>=20
>>>>> -Michael
>>>>>=20
>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.o=
rg> wrote:
>>>>>>=20
>>>>>> For details see:
>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>>>=20
>>>>>> This update also requires updating gnutls to '3.6.13'.
>>>>>>=20
>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>>>> ---
>>>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>>>> lfs/nettle                     |  6 +++---
>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>>>=20
>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/=
nettle
>>>>>> index 58e3f57a0..20a269a8b 100644
>>>>>> --- a/config/rootfiles/common/nettle
>>>>>> +++ b/config/rootfiles/common/nettle
>>>>>> @@ -23,6 +23,7 @@
>>>>>> #usr/include/nettle/cmac.h
>>>>>> #usr/include/nettle/ctr.h
>>>>>> #usr/include/nettle/curve25519.h
>>>>>> +#usr/include/nettle/curve448.h
>>>>>> #usr/include/nettle/des.h
>>>>>> #usr/include/nettle/dsa-compat.h
>>>>>> #usr/include/nettle/dsa.h
>>>>>> @@ -32,6 +33,7 @@
>>>>>> #usr/include/nettle/ecdsa.h
>>>>>> #usr/include/nettle/eddsa.h
>>>>>> #usr/include/nettle/gcm.h
>>>>>> +#usr/include/nettle/gostdsa.h
>>>>>> #usr/include/nettle/gosthash94.h
>>>>>> #usr/include/nettle/hkdf.h
>>>>>> #usr/include/nettle/hmac.h
>>>>>> @@ -61,16 +63,17 @@
>>>>>> #usr/include/nettle/sha1.h
>>>>>> #usr/include/nettle/sha2.h
>>>>>> #usr/include/nettle/sha3.h
>>>>>> +#usr/include/nettle/siv-cmac.h
>>>>>> #usr/include/nettle/twofish.h
>>>>>> #usr/include/nettle/umac.h
>>>>>> #usr/include/nettle/version.h
>>>>>> #usr/include/nettle/xts.h
>>>>>> #usr/include/nettle/yarrow.h
>>>>>> usr/lib/libhogweed.so
>>>>>> -usr/lib/libhogweed.so.5
>>>>>> -usr/lib/libhogweed.so.5.0
>>>>>> +usr/lib/libhogweed.so.6
>>>>>> +usr/lib/libhogweed.so.6.0
>>>>>> #usr/lib/libnettle.so
>>>>>> -usr/lib/libnettle.so.7
>>>>>> -usr/lib/libnettle.so.7.0
>>>>>> +usr/lib/libnettle.so.8
>>>>>> +usr/lib/libnettle.so.8.0
>>>>>> #usr/lib/pkgconfig/hogweed.pc
>>>>>> #usr/lib/pkgconfig/nettle.pc
>>>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>>>> index cc34b1fad..de7428121 100644
>>>>>> --- a/lfs/nettle
>>>>>> +++ b/lfs/nettle
>>>>>> @@ -1,7 +1,7 @@
>>>>>> ######################################################################=
#########
>>>>>> #                                                                     =
        #
>>>>>> # IPFire.org - A linux based firewall                                 =
        #
>>>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>          =
           #
>>>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>          =
           #
>>>>>> #                                                                     =
        #
>>>>>> # This program is free software: you can redistribute it and/or modify=
        #
>>>>>> # it under the terms of the GNU General Public License as published by=
        #
>>>>>> @@ -24,7 +24,7 @@
>>>>>>=20
>>>>>> include Config
>>>>>>=20
>>>>>> -VER        =3D 3.5.1
>>>>>> +VER        =3D 3.6
>>>>>>=20
>>>>>> THISAPP    =3D nettle-$(VER)
>>>>>> DL_FILE    =3D $(THISAPP).tar.gz
>>>>>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>>>>>>=20
>>>>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>>>>=20
>>>>>> -$(DL_FILE)_MD5 =3D 0e5707b418c3826768d41130fbe4ee86
>>>>>> +$(DL_FILE)_MD5 =3D c45ee24ed7361dcda152a035d396fe8a
>>>>>>=20
>>>>>> install : $(TARGET)
>>>>>>=20
>>>>>> --=20
>>>>>> 2.17.1
>>=20
>=20


--===============7404644469512893600==--