From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] nettle: Update to 3.6
Date: Wed, 13 May 2020 11:55:16 +0100
Message-ID: <8F952430-AFEE-45C2-9D8C-06DF1171F8C9@ipfire.org>
In-Reply-To: <112CD7FD-306C-4D86-9C7B-1809A11B0D63@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0907653038455588605=="
List-Id: <development.lists.ipfire.org>

--===============0907653038455588605==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

I found my script!

I have committed it to the repository and sent a patch. Please have a look.

I have also added a simple shortcut for make.sh.

So that ./make.sh find-dependencies libtinfo.so.6 will now show you which bin=
ary links to this library.

You can also pass multiple libraries at once.

Best,
-Michael

> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>=20
> Hi,
>=20
> Yes, I think that it would be a good idea to add a script to tools/ that ta=
kes a library name and returns a list of all files (with potentially even the=
 package name) so that we can quickly find out what linked against it.
>=20
> I would recommend the following:
>=20
> 1) Have a function that takes a binary name and returns whether it matches =
or not.
>=20
> 2) Have a second function that finds all binary files and calls the functio=
n from 1).
>=20
> You can then either collect the file list and scan the root files later to =
find what package that file is in and simply list the package names in the en=
d. But I guess that is probably already a stretch goal and a first version of=
 the script does not need it.
>=20
> I would recommend using readelf instead of ldd, because ldd runs the runtim=
e linker and lists all libraries that were pulled in. That means that if you =
have a command /bin/command which links again liba.so and liba.so links again=
st libb.so, then ldd lists both libraries. We might ship more files then than=
 we need to.
>=20
> You can run this instead:
>=20
> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>=20
> These are all libraries that /bin/bash needs directly on my system, and tha=
t is what we want to know.
>=20
> readelf is in the binutils package.
>=20
> We could later add a command to make.sh that mounts the chroot environment =
and then runs the script inside it.
>=20
> For performance I would recommend using find to search for binary files. Yo=
u will probably have to scan everything, but should only consider files that =
are executable. We should not have any binaries that are not executable. The =
script might indeed run for a little moment, but readelf should already be mu=
ch quicker than ldd, because it will only parse one file and not all linked l=
ibraries as well.
>=20
> Please feel free to ask questions :)
>=20
>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> =
wrote:
>>=20
>> Hi,
>>=20
>> On 01.05.2020 15:17, Michael Tremer wrote:
>>> Hi,
>>>=20
>>> Do we know if anything else but gnutls links against this?
>>=20
>> Me: no =3D> Please don't merge this patch.
>>=20
>>> The library so version has been bumped, and we might need a compat-versio=
n if we can. Or potentially symlinks.
>>=20
>> You're right. IIRC, I read about a similiar problem a while ago. And it
>> sucks...
>>=20
>> What I'm not sure about:
>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>=20
>> ToDo:
>> I thought about it. I'll try to write a script that loops through (all)
>> binaries and throws a message if an appropriate - missing - library (in
>> this case: libhogweed or libnettle) was found.
>>=20
>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>> [PROGRAM_NAME]', filtering the output.
>>=20
>> And just in case: has anyone here ever programmed anything like this
>> already?
>=20
> I wrote such a script when we migrated OpenSSL, but I do not have it any mo=
re :)
>=20
> I should have kept it.
>=20
> -Michael
>=20
>>=20
>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>=20
>> Opinions?
>>=20
>> Best,
>> Matthias
>>=20
>=20
> -Michael
>=20
>>> -Michael
>>>=20
>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org=
> wrote:
>>>>=20
>>>> For details see:
>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>=20
>>>> This update also requires updating gnutls to '3.6.13'.
>>>>=20
>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>> ---
>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>> lfs/nettle                     |  6 +++---
>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>=20
>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/ne=
ttle
>>>> index 58e3f57a0..20a269a8b 100644
>>>> --- a/config/rootfiles/common/nettle
>>>> +++ b/config/rootfiles/common/nettle
>>>> @@ -23,6 +23,7 @@
>>>> #usr/include/nettle/cmac.h
>>>> #usr/include/nettle/ctr.h
>>>> #usr/include/nettle/curve25519.h
>>>> +#usr/include/nettle/curve448.h
>>>> #usr/include/nettle/des.h
>>>> #usr/include/nettle/dsa-compat.h
>>>> #usr/include/nettle/dsa.h
>>>> @@ -32,6 +33,7 @@
>>>> #usr/include/nettle/ecdsa.h
>>>> #usr/include/nettle/eddsa.h
>>>> #usr/include/nettle/gcm.h
>>>> +#usr/include/nettle/gostdsa.h
>>>> #usr/include/nettle/gosthash94.h
>>>> #usr/include/nettle/hkdf.h
>>>> #usr/include/nettle/hmac.h
>>>> @@ -61,16 +63,17 @@
>>>> #usr/include/nettle/sha1.h
>>>> #usr/include/nettle/sha2.h
>>>> #usr/include/nettle/sha3.h
>>>> +#usr/include/nettle/siv-cmac.h
>>>> #usr/include/nettle/twofish.h
>>>> #usr/include/nettle/umac.h
>>>> #usr/include/nettle/version.h
>>>> #usr/include/nettle/xts.h
>>>> #usr/include/nettle/yarrow.h
>>>> usr/lib/libhogweed.so
>>>> -usr/lib/libhogweed.so.5
>>>> -usr/lib/libhogweed.so.5.0
>>>> +usr/lib/libhogweed.so.6
>>>> +usr/lib/libhogweed.so.6.0
>>>> #usr/lib/libnettle.so
>>>> -usr/lib/libnettle.so.7
>>>> -usr/lib/libnettle.so.7.0
>>>> +usr/lib/libnettle.so.8
>>>> +usr/lib/libnettle.so.8.0
>>>> #usr/lib/pkgconfig/hogweed.pc
>>>> #usr/lib/pkgconfig/nettle.pc
>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>> index cc34b1fad..de7428121 100644
>>>> --- a/lfs/nettle
>>>> +++ b/lfs/nettle
>>>> @@ -1,7 +1,7 @@
>>>> ########################################################################=
#######
>>>> #                                                                       =
      #
>>>> # IPFire.org - A linux based firewall                                   =
      #
>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>            =
         #
>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>            =
         #
>>>> #                                                                       =
      #
>>>> # This program is free software: you can redistribute it and/or modify  =
      #
>>>> # it under the terms of the GNU General Public License as published by  =
      #
>>>> @@ -24,7 +24,7 @@
>>>>=20
>>>> include Config
>>>>=20
>>>> -VER        =3D 3.5.1
>>>> +VER        =3D 3.6
>>>>=20
>>>> THISAPP    =3D nettle-$(VER)
>>>> DL_FILE    =3D $(THISAPP).tar.gz
>>>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>>>>=20
>>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>>=20
>>>> -$(DL_FILE)_MD5 =3D 0e5707b418c3826768d41130fbe4ee86
>>>> +$(DL_FILE)_MD5 =3D c45ee24ed7361dcda152a035d396fe8a
>>>>=20
>>>> install : $(TARGET)
>>>>=20
>>>> --=20
>>>> 2.17.1


--===============0907653038455588605==--