From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: [PATCH] nettle: Update to 3.6 Date: Wed, 13 May 2020 23:37:24 +0200 Message-ID: <414ecb8f-1985-4228-018a-4430dd570a80@ipfire.org> In-Reply-To: <8F952430-AFEE-45C2-9D8C-06DF1171F8C9@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7917606035399028034==" List-Id: --===============7917606035399028034== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On 13.05.2020 12:55, Michael Tremer wrote: > Hi, >=20 > I found my script! YES! ;-) > I have committed it to the repository and sent a patch. Please have a look. Looked. Seems to work. And it would have taken me much longer to write such a script. Great you've found it. > I have also added a simple shortcut for make.sh. >=20 > So that ./make.sh find-dependencies libtinfo.so.6 will now show you which b= inary links to this library. >=20 > You can also pass multiple libraries at once. I took a ride on a Core144 build with: ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7 I wanted to know which libraries would be affected by the nettle 3.6 update. Result (I cut '/git/ipfire.../build/'): /usr/bin/virt-admin /usr/bin/ivshmem-server /usr/bin/bsdtar /usr/bin/nettle-lfib-stream /usr/bin/qemu-i386 /usr/bin/qemu-edid /usr/bin/squidclient /usr/bin/qemu-system-arm /usr/bin/qemu-arm /usr/bin/virt-host-validate /usr/bin/danetool /usr/bin/certtool /usr/bin/bsdcat /usr/bin/qemu-pr-helper /usr/bin/bsdcpio /usr/bin/qemu-system-x86_64 /usr/bin/qemu-img /usr/bin/ping /usr/bin/ivshmem-client /usr/bin/nettle-pbkdf2 /usr/bin/pkcs1-conv /usr/bin/sexp-conv /usr/bin/qemu-io /usr/bin/dnsdist /usr/bin/qemu-x86_64 /usr/bin/kdig /usr/bin/qemu-nbd /usr/bin/elf2dmp /usr/bin/qemu-system-i386 /usr/bin/nettle-hash /usr/bin/virsh /usr/libexec/qemu-bridge-helper /usr/libexec/libvirt_iohelper /usr/sbin/libvirtd /usr/sbin/virtlockd /usr/sbin/virtlogd /usr/sbin/cups-genppd.5.2 /usr/sbin/squid /usr/lib/libvirt.so.0.5006.0 /usr/lib/libvirt-admin.so.0.5006.0 /usr/lib/libhogweed.so.5.0 /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so /usr/lib/libvirt/lock-driver/lockd.so /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so /usr/lib/libvirt-qemu.so.0.5006.0 /usr/lib/cups/filter/commandtocanon /usr/lib/cups/filter/rastertogutenprint.5.2 /usr/lib/cups/filter/commandtoepson /usr/lib/cups/driver/gutenprint.5.2 /usr/lib/squid/negotiate_wrapper_auth /usr/lib/squid/digest_ldap_auth /usr/lib/squid/ntlm_fake_auth /usr/lib/squid/basic_radius_auth /usr/lib/squid/digest_file_auth /usr/lib/squid/basic_ncsa_auth /usr/lib/squid/cachemgr.cgi /usr/lib/squid/digest_edirectory_auth /usr/lib/libgnutls.so.30.23.2 /usr/lib/libvirt-lxc.so.0.5006.0 /usr/lib/libarchive.so.13.4.0 /srv/web/ipfire/cgi-bin/cachemgr.cgi Looks like we would need a compat version? Best, Matthias > Best, > -Michael >=20 >> On 4 May 2020, at 15:32, Michael Tremer wrot= e: >>=20 >> Hi, >>=20 >> Yes, I think that it would be a good idea to add a script to tools/ that t= akes a library name and returns a list of all files (with potentially even th= e package name) so that we can quickly find out what linked against it. >>=20 >> I would recommend the following: >>=20 >> 1) Have a function that takes a binary name and returns whether it matches= or not. >>=20 >> 2) Have a second function that finds all binary files and calls the functi= on from 1). >>=20 >> You can then either collect the file list and scan the root files later to= find what package that file is in and simply list the package names in the e= nd. But I guess that is probably already a stretch goal and a first version o= f the script does not need it. >>=20 >> I would recommend using readelf instead of ldd, because ldd runs the runti= me linker and lists all libraries that were pulled in. That means that if you= have a command /bin/command which links again liba.so and liba.so links agai= nst libb.so, then ldd lists both libraries. We might ship more files then tha= n we need to. >>=20 >> You can run this instead: >>=20 >> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED >> 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] >> 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] >> 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] >>=20 >> These are all libraries that /bin/bash needs directly on my system, and th= at is what we want to know. >>=20 >> readelf is in the binutils package. >>=20 >> We could later add a command to make.sh that mounts the chroot environment= and then runs the script inside it. >>=20 >> For performance I would recommend using find to search for binary files. Y= ou will probably have to scan everything, but should only consider files that= are executable. We should not have any binaries that are not executable. The= script might indeed run for a little moment, but readelf should already be m= uch quicker than ldd, because it will only parse one file and not all linked = libraries as well. >>=20 >> Please feel free to ask questions :) >>=20 >>> On 2 May 2020, at 09:53, Matthias Fischer = wrote: >>>=20 >>> Hi, >>>=20 >>> On 01.05.2020 15:17, Michael Tremer wrote: >>>> Hi, >>>>=20 >>>> Do we know if anything else but gnutls links against this? >>>=20 >>> Me: no =3D> Please don't merge this patch. >>>=20 >>>> The library so version has been bumped, and we might need a compat-versi= on if we can. Or potentially symlinks. >>>=20 >>> You're right. IIRC, I read about a similiar problem a while ago. And it >>> sucks... >>>=20 >>> What I'm not sure about: >>> Would testing all binaries one by one with 'ldd' be sufficient enough? >>>=20 >>> ToDo: >>> I thought about it. I'll try to write a script that loops through (all) >>> binaries and throws a message if an appropriate - missing - library (in >>> this case: libhogweed or libnettle) was found. >>>=20 >>> I'm thinking about something with a "for-while-do-loop", using 'ldd >>> [PROGRAM_NAME]', filtering the output. >>>=20 >>> And just in case: has anyone here ever programmed anything like this >>> already? >>=20 >> I wrote such a script when we migrated OpenSSL, but I do not have it any m= ore :) >>=20 >> I should have kept it. >>=20 >> -Michael >>=20 >>>=20 >>> I don't want to "reinvent the wheel" unnecessarily... ;-) >>>=20 >>> Opinions? >>>=20 >>> Best, >>> Matthias >>>=20 >>=20 >> -Michael >>=20 >>>> -Michael >>>>=20 >>>>> On 1 May 2020, at 11:54, Matthias Fischer wrote: >>>>>=20 >>>>> For details see: >>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >>>>>=20 >>>>> This update also requires updating gnutls to '3.6.13'. >>>>>=20 >>>>> Signed-off-by: Matthias Fischer >>>>> --- >>>>> config/rootfiles/common/nettle | 11 +++++++---- >>>>> lfs/nettle | 6 +++--- >>>>> 2 files changed, 10 insertions(+), 7 deletions(-) >>>>>=20 >>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/n= ettle >>>>> index 58e3f57a0..20a269a8b 100644 >>>>> --- a/config/rootfiles/common/nettle >>>>> +++ b/config/rootfiles/common/nettle >>>>> @@ -23,6 +23,7 @@ >>>>> #usr/include/nettle/cmac.h >>>>> #usr/include/nettle/ctr.h >>>>> #usr/include/nettle/curve25519.h >>>>> +#usr/include/nettle/curve448.h >>>>> #usr/include/nettle/des.h >>>>> #usr/include/nettle/dsa-compat.h >>>>> #usr/include/nettle/dsa.h >>>>> @@ -32,6 +33,7 @@ >>>>> #usr/include/nettle/ecdsa.h >>>>> #usr/include/nettle/eddsa.h >>>>> #usr/include/nettle/gcm.h >>>>> +#usr/include/nettle/gostdsa.h >>>>> #usr/include/nettle/gosthash94.h >>>>> #usr/include/nettle/hkdf.h >>>>> #usr/include/nettle/hmac.h >>>>> @@ -61,16 +63,17 @@ >>>>> #usr/include/nettle/sha1.h >>>>> #usr/include/nettle/sha2.h >>>>> #usr/include/nettle/sha3.h >>>>> +#usr/include/nettle/siv-cmac.h >>>>> #usr/include/nettle/twofish.h >>>>> #usr/include/nettle/umac.h >>>>> #usr/include/nettle/version.h >>>>> #usr/include/nettle/xts.h >>>>> #usr/include/nettle/yarrow.h >>>>> usr/lib/libhogweed.so >>>>> -usr/lib/libhogweed.so.5 >>>>> -usr/lib/libhogweed.so.5.0 >>>>> +usr/lib/libhogweed.so.6 >>>>> +usr/lib/libhogweed.so.6.0 >>>>> #usr/lib/libnettle.so >>>>> -usr/lib/libnettle.so.7 >>>>> -usr/lib/libnettle.so.7.0 >>>>> +usr/lib/libnettle.so.8 >>>>> +usr/lib/libnettle.so.8.0 >>>>> #usr/lib/pkgconfig/hogweed.pc >>>>> #usr/lib/pkgconfig/nettle.pc >>>>> diff --git a/lfs/nettle b/lfs/nettle >>>>> index cc34b1fad..de7428121 100644 >>>>> --- a/lfs/nettle >>>>> +++ b/lfs/nettle >>>>> @@ -1,7 +1,7 @@ >>>>> #######################################################################= ######## >>>>> # = # >>>>> # IPFire.org - A linux based firewall = # >>>>> -# Copyright (C) 2007-2019 IPFire Team = # >>>>> +# Copyright (C) 2007-2020 IPFire Team = # >>>>> # = # >>>>> # This program is free software: you can redistribute it and/or modify = # >>>>> # it under the terms of the GNU General Public License as published by = # >>>>> @@ -24,7 +24,7 @@ >>>>>=20 >>>>> include Config >>>>>=20 >>>>> -VER =3D 3.5.1 >>>>> +VER =3D 3.6 >>>>>=20 >>>>> THISAPP =3D nettle-$(VER) >>>>> DL_FILE =3D $(THISAPP).tar.gz >>>>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >>>>>=20 >>>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >>>>>=20 >>>>> -$(DL_FILE)_MD5 =3D 0e5707b418c3826768d41130fbe4ee86 >>>>> +$(DL_FILE)_MD5 =3D c45ee24ed7361dcda152a035d396fe8a >>>>>=20 >>>>> install : $(TARGET) >>>>>=20 >>>>> --=20 >>>>> 2.17.1 >=20 --===============7917606035399028034==--