[PATCH] nettle: Update to 3.6

[PATCH] nettle: Update to 3.6

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 2798 bytes --]

For details see:
https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog

This update also requires updating gnutls to '3.6.13'.

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 config/rootfiles/common/nettle | 11 +++++++----
 lfs/nettle                     |  6 +++---
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
index 58e3f57a0..20a269a8b 100644
--- a/config/rootfiles/common/nettle
+++ b/config/rootfiles/common/nettle
@@ -23,6 +23,7 @@
 #usr/include/nettle/cmac.h
 #usr/include/nettle/ctr.h
 #usr/include/nettle/curve25519.h
+#usr/include/nettle/curve448.h
 #usr/include/nettle/des.h
 #usr/include/nettle/dsa-compat.h
 #usr/include/nettle/dsa.h
@@ -32,6 +33,7 @@
 #usr/include/nettle/ecdsa.h
 #usr/include/nettle/eddsa.h
 #usr/include/nettle/gcm.h
+#usr/include/nettle/gostdsa.h
 #usr/include/nettle/gosthash94.h
 #usr/include/nettle/hkdf.h
 #usr/include/nettle/hmac.h
@@ -61,16 +63,17 @@
 #usr/include/nettle/sha1.h
 #usr/include/nettle/sha2.h
 #usr/include/nettle/sha3.h
+#usr/include/nettle/siv-cmac.h
 #usr/include/nettle/twofish.h
 #usr/include/nettle/umac.h
 #usr/include/nettle/version.h
 #usr/include/nettle/xts.h
 #usr/include/nettle/yarrow.h
 usr/lib/libhogweed.so
-usr/lib/libhogweed.so.5
-usr/lib/libhogweed.so.5.0
+usr/lib/libhogweed.so.6
+usr/lib/libhogweed.so.6.0
 #usr/lib/libnettle.so
-usr/lib/libnettle.so.7
-usr/lib/libnettle.so.7.0
+usr/lib/libnettle.so.8
+usr/lib/libnettle.so.8.0
 #usr/lib/pkgconfig/hogweed.pc
 #usr/lib/pkgconfig/nettle.pc
diff --git a/lfs/nettle b/lfs/nettle
index cc34b1fad..de7428121 100644
--- a/lfs/nettle
+++ b/lfs/nettle
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.5.1
+VER        = 3.6
 
 THISAPP    = nettle-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
+$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
 
 install : $(TARGET)
 
-- 
2.17.1

Re: [PATCH] nettle: Update to 3.6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3212 bytes --]

Hi,

Do we know if anything else but gnutls links against this?

The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.

-Michael

> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> For details see:
> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
> 
> This update also requires updating gnutls to '3.6.13'.
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
> config/rootfiles/common/nettle | 11 +++++++----
> lfs/nettle                     |  6 +++---
> 2 files changed, 10 insertions(+), 7 deletions(-)
> 
> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
> index 58e3f57a0..20a269a8b 100644
> --- a/config/rootfiles/common/nettle
> +++ b/config/rootfiles/common/nettle
> @@ -23,6 +23,7 @@
> #usr/include/nettle/cmac.h
> #usr/include/nettle/ctr.h
> #usr/include/nettle/curve25519.h
> +#usr/include/nettle/curve448.h
> #usr/include/nettle/des.h
> #usr/include/nettle/dsa-compat.h
> #usr/include/nettle/dsa.h
> @@ -32,6 +33,7 @@
> #usr/include/nettle/ecdsa.h
> #usr/include/nettle/eddsa.h
> #usr/include/nettle/gcm.h
> +#usr/include/nettle/gostdsa.h
> #usr/include/nettle/gosthash94.h
> #usr/include/nettle/hkdf.h
> #usr/include/nettle/hmac.h
> @@ -61,16 +63,17 @@
> #usr/include/nettle/sha1.h
> #usr/include/nettle/sha2.h
> #usr/include/nettle/sha3.h
> +#usr/include/nettle/siv-cmac.h
> #usr/include/nettle/twofish.h
> #usr/include/nettle/umac.h
> #usr/include/nettle/version.h
> #usr/include/nettle/xts.h
> #usr/include/nettle/yarrow.h
> usr/lib/libhogweed.so
> -usr/lib/libhogweed.so.5
> -usr/lib/libhogweed.so.5.0
> +usr/lib/libhogweed.so.6
> +usr/lib/libhogweed.so.6.0
> #usr/lib/libnettle.so
> -usr/lib/libnettle.so.7
> -usr/lib/libnettle.so.7.0
> +usr/lib/libnettle.so.8
> +usr/lib/libnettle.so.8.0
> #usr/lib/pkgconfig/hogweed.pc
> #usr/lib/pkgconfig/nettle.pc
> diff --git a/lfs/nettle b/lfs/nettle
> index cc34b1fad..de7428121 100644
> --- a/lfs/nettle
> +++ b/lfs/nettle
> @@ -1,7 +1,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 3.5.1
> +VER        = 3.6
> 
> THISAPP    = nettle-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
> 
> install : $(TARGET)
> 
> -- 
> 2.17.1
> 

Re: [PATCH] nettle: Update to 3.6

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 4086 bytes --]

Hi,

On 01.05.2020 15:17, Michael Tremer wrote:
> Hi,
> 
> Do we know if anything else but gnutls links against this?

Me: no => Please don't merge this patch.

> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.

You're right. IIRC, I read about a similiar problem a while ago. And it
sucks...

What I'm not sure about:
Would testing all binaries one by one with 'ldd' be sufficient enough?

ToDo:
I thought about it. I'll try to write a script that loops through (all)
binaries and throws a message if an appropriate - missing - library (in
this case: libhogweed or libnettle) was found.

I'm thinking about something with a "for-while-do-loop", using 'ldd
[PROGRAM_NAME]', filtering the output.

And just in case: has anyone here ever programmed anything like this
already?

I don't want to "reinvent the wheel" unnecessarily... ;-)

Opinions?

Best,
Matthias

> -Michael
> 
>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> For details see:
>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>> 
>> This update also requires updating gnutls to '3.6.13'.
>> 
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>> config/rootfiles/common/nettle | 11 +++++++----
>> lfs/nettle                     |  6 +++---
>> 2 files changed, 10 insertions(+), 7 deletions(-)
>> 
>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
>> index 58e3f57a0..20a269a8b 100644
>> --- a/config/rootfiles/common/nettle
>> +++ b/config/rootfiles/common/nettle
>> @@ -23,6 +23,7 @@
>> #usr/include/nettle/cmac.h
>> #usr/include/nettle/ctr.h
>> #usr/include/nettle/curve25519.h
>> +#usr/include/nettle/curve448.h
>> #usr/include/nettle/des.h
>> #usr/include/nettle/dsa-compat.h
>> #usr/include/nettle/dsa.h
>> @@ -32,6 +33,7 @@
>> #usr/include/nettle/ecdsa.h
>> #usr/include/nettle/eddsa.h
>> #usr/include/nettle/gcm.h
>> +#usr/include/nettle/gostdsa.h
>> #usr/include/nettle/gosthash94.h
>> #usr/include/nettle/hkdf.h
>> #usr/include/nettle/hmac.h
>> @@ -61,16 +63,17 @@
>> #usr/include/nettle/sha1.h
>> #usr/include/nettle/sha2.h
>> #usr/include/nettle/sha3.h
>> +#usr/include/nettle/siv-cmac.h
>> #usr/include/nettle/twofish.h
>> #usr/include/nettle/umac.h
>> #usr/include/nettle/version.h
>> #usr/include/nettle/xts.h
>> #usr/include/nettle/yarrow.h
>> usr/lib/libhogweed.so
>> -usr/lib/libhogweed.so.5
>> -usr/lib/libhogweed.so.5.0
>> +usr/lib/libhogweed.so.6
>> +usr/lib/libhogweed.so.6.0
>> #usr/lib/libnettle.so
>> -usr/lib/libnettle.so.7
>> -usr/lib/libnettle.so.7.0
>> +usr/lib/libnettle.so.8
>> +usr/lib/libnettle.so.8.0
>> #usr/lib/pkgconfig/hogweed.pc
>> #usr/lib/pkgconfig/nettle.pc
>> diff --git a/lfs/nettle b/lfs/nettle
>> index cc34b1fad..de7428121 100644
>> --- a/lfs/nettle
>> +++ b/lfs/nettle
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -24,7 +24,7 @@
>> 
>> include Config
>> 
>> -VER        = 3.5.1
>> +VER        = 3.6
>> 
>> THISAPP    = nettle-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>> 
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>> 
>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
>> 
>> install : $(TARGET)
>> 
>> -- 
>> 2.17.1
>> 
> 

Re: [PATCH] nettle: Update to 3.6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 6527 bytes --]

Hi,

Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it.

I would recommend the following:

1) Have a function that takes a binary name and returns whether it matches or not.

2) Have a second function that finds all binary files and calls the function from 1).

You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it.

I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to.

You can run this instead:

root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]

These are all libraries that /bin/bash needs directly on my system, and that is what we want to know.

readelf is in the binutils package.

We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it.

For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well.

Please feel free to ask questions :)

> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> On 01.05.2020 15:17, Michael Tremer wrote:
>> Hi,
>> 
>> Do we know if anything else but gnutls links against this?
> 
> Me: no => Please don't merge this patch.
> 
>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.
> 
> You're right. IIRC, I read about a similiar problem a while ago. And it
> sucks...
> 
> What I'm not sure about:
> Would testing all binaries one by one with 'ldd' be sufficient enough?
> 
> ToDo:
> I thought about it. I'll try to write a script that loops through (all)
> binaries and throws a message if an appropriate - missing - library (in
> this case: libhogweed or libnettle) was found.
> 
> I'm thinking about something with a "for-while-do-loop", using 'ldd
> [PROGRAM_NAME]', filtering the output.
> 
> And just in case: has anyone here ever programmed anything like this
> already?

I wrote such a script when we migrated OpenSSL, but I do not have it any more :)

I should have kept it.

-Michael

> 
> I don't want to "reinvent the wheel" unnecessarily... ;-)
> 
> Opinions?
> 
> Best,
> Matthias
> 

-Michael

>> -Michael
>> 
>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>> 
>>> For details see:
>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>> 
>>> This update also requires updating gnutls to '3.6.13'.
>>> 
>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> ---
>>> config/rootfiles/common/nettle | 11 +++++++----
>>> lfs/nettle                     |  6 +++---
>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>> 
>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
>>> index 58e3f57a0..20a269a8b 100644
>>> --- a/config/rootfiles/common/nettle
>>> +++ b/config/rootfiles/common/nettle
>>> @@ -23,6 +23,7 @@
>>> #usr/include/nettle/cmac.h
>>> #usr/include/nettle/ctr.h
>>> #usr/include/nettle/curve25519.h
>>> +#usr/include/nettle/curve448.h
>>> #usr/include/nettle/des.h
>>> #usr/include/nettle/dsa-compat.h
>>> #usr/include/nettle/dsa.h
>>> @@ -32,6 +33,7 @@
>>> #usr/include/nettle/ecdsa.h
>>> #usr/include/nettle/eddsa.h
>>> #usr/include/nettle/gcm.h
>>> +#usr/include/nettle/gostdsa.h
>>> #usr/include/nettle/gosthash94.h
>>> #usr/include/nettle/hkdf.h
>>> #usr/include/nettle/hmac.h
>>> @@ -61,16 +63,17 @@
>>> #usr/include/nettle/sha1.h
>>> #usr/include/nettle/sha2.h
>>> #usr/include/nettle/sha3.h
>>> +#usr/include/nettle/siv-cmac.h
>>> #usr/include/nettle/twofish.h
>>> #usr/include/nettle/umac.h
>>> #usr/include/nettle/version.h
>>> #usr/include/nettle/xts.h
>>> #usr/include/nettle/yarrow.h
>>> usr/lib/libhogweed.so
>>> -usr/lib/libhogweed.so.5
>>> -usr/lib/libhogweed.so.5.0
>>> +usr/lib/libhogweed.so.6
>>> +usr/lib/libhogweed.so.6.0
>>> #usr/lib/libnettle.so
>>> -usr/lib/libnettle.so.7
>>> -usr/lib/libnettle.so.7.0
>>> +usr/lib/libnettle.so.8
>>> +usr/lib/libnettle.so.8.0
>>> #usr/lib/pkgconfig/hogweed.pc
>>> #usr/lib/pkgconfig/nettle.pc
>>> diff --git a/lfs/nettle b/lfs/nettle
>>> index cc34b1fad..de7428121 100644
>>> --- a/lfs/nettle
>>> +++ b/lfs/nettle
>>> @@ -1,7 +1,7 @@
>>> ###############################################################################
>>> #                                                                             #
>>> # IPFire.org - A linux based firewall                                         #
>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>>> #                                                                             #
>>> # This program is free software: you can redistribute it and/or modify        #
>>> # it under the terms of the GNU General Public License as published by        #
>>> @@ -24,7 +24,7 @@
>>> 
>>> include Config
>>> 
>>> -VER        = 3.5.1
>>> +VER        = 3.6
>>> 
>>> THISAPP    = nettle-$(VER)
>>> DL_FILE    = $(THISAPP).tar.gz
>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>> 
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>> 
>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
>>> 
>>> install : $(TARGET)
>>> 
>>> -- 
>>> 2.17.1
>>> 
>> 
> 

[PATCH] make.sh: Add command to find dependencies

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1616 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 make.sh                 |  6 +++++-
 tools/find-dependencies | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100755 tools/find-dependencies

diff --git a/make.sh b/make.sh
index 78c4edc90..4acce807f 100755
--- a/make.sh
+++ b/make.sh
@@ -1993,8 +1993,12 @@ lang)
 update-contributors)
 	update_contributors
 	;;
+find-dependencies)
+	shift
+	exec "${BASEDIR}/tools/find-dependencies" "${BASEDIR}/build" "$@"
+	;;
 *)
-	echo "Usage: $0 {build|changelog|clean|gettoolchain|downloadsrc|shell|sync|toolchain|update-contributors}"
+	echo "Usage: $0 {build|changelog|clean|gettoolchain|downloadsrc|shell|sync|toolchain|update-contributors|find-dependencies}"
 	cat doc/make.sh-usage
 	;;
 esac
diff --git a/tools/find-dependencies b/tools/find-dependencies
new file mode 100755
index 000000000..25e6cddea
--- /dev/null
+++ b/tools/find-dependencies
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+main() {
+	if [ $# -lt 2 ]; then
+		echo "${0}: Usage: PATH LIBRARY ..."
+		return 2
+	fi
+
+	local root="${1}"
+	shift
+
+	if [ ! -d "${root}" ]; then
+		echo "${0}: ${root}: No such file or directory"
+		return 1
+	fi
+
+	local libraries="$@"
+
+	# Build the regex filter
+	local filter="(${libraries[*]// /|})"
+
+	local file
+	for file in $(find "${root}" -xdev -type f -executable); do
+		if readelf -d "${file}" 2>/dev/null | grep -qE "NEEDED.*\[${filter}\]$"; then
+			echo "${file}"
+		fi
+	done
+
+	return 0
+}
+
+main "$@" || exit $?
-- 
2.12.2

Re: [PATCH] nettle: Update to 3.6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 7137 bytes --]

Hi,

I found my script!

I have committed it to the repository and sent a patch. Please have a look.

I have also added a simple shortcut for make.sh.

So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library.

You can also pass multiple libraries at once.

Best,
-Michael

> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
> 
> Hi,
> 
> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it.
> 
> I would recommend the following:
> 
> 1) Have a function that takes a binary name and returns whether it matches or not.
> 
> 2) Have a second function that finds all binary files and calls the function from 1).
> 
> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it.
> 
> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to.
> 
> You can run this instead:
> 
> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
> 
> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know.
> 
> readelf is in the binutils package.
> 
> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it.
> 
> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well.
> 
> Please feel free to ask questions :)
> 
>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> Hi,
>> 
>> On 01.05.2020 15:17, Michael Tremer wrote:
>>> Hi,
>>> 
>>> Do we know if anything else but gnutls links against this?
>> 
>> Me: no => Please don't merge this patch.
>> 
>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.
>> 
>> You're right. IIRC, I read about a similiar problem a while ago. And it
>> sucks...
>> 
>> What I'm not sure about:
>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>> 
>> ToDo:
>> I thought about it. I'll try to write a script that loops through (all)
>> binaries and throws a message if an appropriate - missing - library (in
>> this case: libhogweed or libnettle) was found.
>> 
>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>> [PROGRAM_NAME]', filtering the output.
>> 
>> And just in case: has anyone here ever programmed anything like this
>> already?
> 
> I wrote such a script when we migrated OpenSSL, but I do not have it any more :)
> 
> I should have kept it.
> 
> -Michael
> 
>> 
>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>> 
>> Opinions?
>> 
>> Best,
>> Matthias
>> 
> 
> -Michael
> 
>>> -Michael
>>> 
>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>> 
>>>> For details see:
>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>> 
>>>> This update also requires updating gnutls to '3.6.13'.
>>>> 
>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>> ---
>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>> lfs/nettle                     |  6 +++---
>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>> 
>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
>>>> index 58e3f57a0..20a269a8b 100644
>>>> --- a/config/rootfiles/common/nettle
>>>> +++ b/config/rootfiles/common/nettle
>>>> @@ -23,6 +23,7 @@
>>>> #usr/include/nettle/cmac.h
>>>> #usr/include/nettle/ctr.h
>>>> #usr/include/nettle/curve25519.h
>>>> +#usr/include/nettle/curve448.h
>>>> #usr/include/nettle/des.h
>>>> #usr/include/nettle/dsa-compat.h
>>>> #usr/include/nettle/dsa.h
>>>> @@ -32,6 +33,7 @@
>>>> #usr/include/nettle/ecdsa.h
>>>> #usr/include/nettle/eddsa.h
>>>> #usr/include/nettle/gcm.h
>>>> +#usr/include/nettle/gostdsa.h
>>>> #usr/include/nettle/gosthash94.h
>>>> #usr/include/nettle/hkdf.h
>>>> #usr/include/nettle/hmac.h
>>>> @@ -61,16 +63,17 @@
>>>> #usr/include/nettle/sha1.h
>>>> #usr/include/nettle/sha2.h
>>>> #usr/include/nettle/sha3.h
>>>> +#usr/include/nettle/siv-cmac.h
>>>> #usr/include/nettle/twofish.h
>>>> #usr/include/nettle/umac.h
>>>> #usr/include/nettle/version.h
>>>> #usr/include/nettle/xts.h
>>>> #usr/include/nettle/yarrow.h
>>>> usr/lib/libhogweed.so
>>>> -usr/lib/libhogweed.so.5
>>>> -usr/lib/libhogweed.so.5.0
>>>> +usr/lib/libhogweed.so.6
>>>> +usr/lib/libhogweed.so.6.0
>>>> #usr/lib/libnettle.so
>>>> -usr/lib/libnettle.so.7
>>>> -usr/lib/libnettle.so.7.0
>>>> +usr/lib/libnettle.so.8
>>>> +usr/lib/libnettle.so.8.0
>>>> #usr/lib/pkgconfig/hogweed.pc
>>>> #usr/lib/pkgconfig/nettle.pc
>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>> index cc34b1fad..de7428121 100644
>>>> --- a/lfs/nettle
>>>> +++ b/lfs/nettle
>>>> @@ -1,7 +1,7 @@
>>>> ###############################################################################
>>>> #                                                                             #
>>>> # IPFire.org - A linux based firewall                                         #
>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>>>> #                                                                             #
>>>> # This program is free software: you can redistribute it and/or modify        #
>>>> # it under the terms of the GNU General Public License as published by        #
>>>> @@ -24,7 +24,7 @@
>>>> 
>>>> include Config
>>>> 
>>>> -VER        = 3.5.1
>>>> +VER        = 3.6
>>>> 
>>>> THISAPP    = nettle-$(VER)
>>>> DL_FILE    = $(THISAPP).tar.gz
>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>> 
>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>> 
>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
>>>> 
>>>> install : $(TARGET)
>>>> 
>>>> -- 
>>>> 2.17.1

Re: [PATCH] nettle: Update to 3.6

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 9921 bytes --]

Hi,

On 13.05.2020 12:55, Michael Tremer wrote:
> Hi,
> 
> I found my script!

YES! ;-)

> I have committed it to the repository and sent a patch. Please have a look.

Looked. Seems to work.

And it would have taken me much longer to write such a script. Great
you've found it.

> I have also added a simple shortcut for make.sh.
> 
> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library.
> 
> You can also pass multiple libraries at once.

I took a ride on a Core144 build with:

./make.sh find-dependencies libhogweed.so.5 libnettle.so.7

I wanted to know which libraries would be affected by the nettle 3.6 update.

Result (I cut '/git/ipfire.../build/'):

/usr/bin/virt-admin
/usr/bin/ivshmem-server
/usr/bin/bsdtar
/usr/bin/nettle-lfib-stream
/usr/bin/qemu-i386
/usr/bin/qemu-edid
/usr/bin/squidclient
/usr/bin/qemu-system-arm
/usr/bin/qemu-arm
/usr/bin/virt-host-validate
/usr/bin/danetool
/usr/bin/certtool
/usr/bin/bsdcat
/usr/bin/qemu-pr-helper
/usr/bin/bsdcpio
/usr/bin/qemu-system-x86_64
/usr/bin/qemu-img
/usr/bin/ping
/usr/bin/ivshmem-client
/usr/bin/nettle-pbkdf2
/usr/bin/pkcs1-conv
/usr/bin/sexp-conv
/usr/bin/qemu-io
/usr/bin/dnsdist
/usr/bin/qemu-x86_64
/usr/bin/kdig
/usr/bin/qemu-nbd
/usr/bin/elf2dmp
/usr/bin/qemu-system-i386
/usr/bin/nettle-hash
/usr/bin/virsh
/usr/libexec/qemu-bridge-helper
/usr/libexec/libvirt_iohelper
/usr/sbin/libvirtd
/usr/sbin/virtlockd
/usr/sbin/virtlogd
/usr/sbin/cups-genppd.5.2
/usr/sbin/squid
/usr/lib/libvirt.so.0.5006.0
/usr/lib/libvirt-admin.so.0.5006.0
/usr/lib/libhogweed.so.5.0
/usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
/usr/lib/libvirt/connection-driver/libvirt_driver_secret.so
/usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
/usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
/usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so
/usr/lib/libvirt/connection-driver/libvirt_driver_interface.so
/usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so
/usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so
/usr/lib/libvirt/lock-driver/lockd.so
/usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so
/usr/lib/libvirt-qemu.so.0.5006.0
/usr/lib/cups/filter/commandtocanon
/usr/lib/cups/filter/rastertogutenprint.5.2
/usr/lib/cups/filter/commandtoepson
/usr/lib/cups/driver/gutenprint.5.2
/usr/lib/squid/negotiate_wrapper_auth
/usr/lib/squid/digest_ldap_auth
/usr/lib/squid/ntlm_fake_auth
/usr/lib/squid/basic_radius_auth
/usr/lib/squid/digest_file_auth
/usr/lib/squid/basic_ncsa_auth
/usr/lib/squid/cachemgr.cgi
/usr/lib/squid/digest_edirectory_auth
/usr/lib/libgnutls.so.30.23.2
/usr/lib/libvirt-lxc.so.0.5006.0
/usr/lib/libarchive.so.13.4.0
/srv/web/ipfire/cgi-bin/cachemgr.cgi

Looks like we would need a compat version?

Best,
Matthias

> Best,
> -Michael
> 
>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>> 
>> Hi,
>> 
>> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it.
>> 
>> I would recommend the following:
>> 
>> 1) Have a function that takes a binary name and returns whether it matches or not.
>> 
>> 2) Have a second function that finds all binary files and calls the function from 1).
>> 
>> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it.
>> 
>> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to.
>> 
>> You can run this instead:
>> 
>> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
>> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
>> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
>> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>> 
>> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know.
>> 
>> readelf is in the binutils package.
>> 
>> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it.
>> 
>> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well.
>> 
>> Please feel free to ask questions :)
>> 
>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>> 
>>> Hi,
>>> 
>>> On 01.05.2020 15:17, Michael Tremer wrote:
>>>> Hi,
>>>> 
>>>> Do we know if anything else but gnutls links against this?
>>> 
>>> Me: no => Please don't merge this patch.
>>> 
>>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.
>>> 
>>> You're right. IIRC, I read about a similiar problem a while ago. And it
>>> sucks...
>>> 
>>> What I'm not sure about:
>>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>> 
>>> ToDo:
>>> I thought about it. I'll try to write a script that loops through (all)
>>> binaries and throws a message if an appropriate - missing - library (in
>>> this case: libhogweed or libnettle) was found.
>>> 
>>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>>> [PROGRAM_NAME]', filtering the output.
>>> 
>>> And just in case: has anyone here ever programmed anything like this
>>> already?
>> 
>> I wrote such a script when we migrated OpenSSL, but I do not have it any more :)
>> 
>> I should have kept it.
>> 
>> -Michael
>> 
>>> 
>>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>> 
>>> Opinions?
>>> 
>>> Best,
>>> Matthias
>>> 
>> 
>> -Michael
>> 
>>>> -Michael
>>>> 
>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>>> 
>>>>> For details see:
>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>> 
>>>>> This update also requires updating gnutls to '3.6.13'.
>>>>> 
>>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>>> ---
>>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>>> lfs/nettle                     |  6 +++---
>>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>> 
>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
>>>>> index 58e3f57a0..20a269a8b 100644
>>>>> --- a/config/rootfiles/common/nettle
>>>>> +++ b/config/rootfiles/common/nettle
>>>>> @@ -23,6 +23,7 @@
>>>>> #usr/include/nettle/cmac.h
>>>>> #usr/include/nettle/ctr.h
>>>>> #usr/include/nettle/curve25519.h
>>>>> +#usr/include/nettle/curve448.h
>>>>> #usr/include/nettle/des.h
>>>>> #usr/include/nettle/dsa-compat.h
>>>>> #usr/include/nettle/dsa.h
>>>>> @@ -32,6 +33,7 @@
>>>>> #usr/include/nettle/ecdsa.h
>>>>> #usr/include/nettle/eddsa.h
>>>>> #usr/include/nettle/gcm.h
>>>>> +#usr/include/nettle/gostdsa.h
>>>>> #usr/include/nettle/gosthash94.h
>>>>> #usr/include/nettle/hkdf.h
>>>>> #usr/include/nettle/hmac.h
>>>>> @@ -61,16 +63,17 @@
>>>>> #usr/include/nettle/sha1.h
>>>>> #usr/include/nettle/sha2.h
>>>>> #usr/include/nettle/sha3.h
>>>>> +#usr/include/nettle/siv-cmac.h
>>>>> #usr/include/nettle/twofish.h
>>>>> #usr/include/nettle/umac.h
>>>>> #usr/include/nettle/version.h
>>>>> #usr/include/nettle/xts.h
>>>>> #usr/include/nettle/yarrow.h
>>>>> usr/lib/libhogweed.so
>>>>> -usr/lib/libhogweed.so.5
>>>>> -usr/lib/libhogweed.so.5.0
>>>>> +usr/lib/libhogweed.so.6
>>>>> +usr/lib/libhogweed.so.6.0
>>>>> #usr/lib/libnettle.so
>>>>> -usr/lib/libnettle.so.7
>>>>> -usr/lib/libnettle.so.7.0
>>>>> +usr/lib/libnettle.so.8
>>>>> +usr/lib/libnettle.so.8.0
>>>>> #usr/lib/pkgconfig/hogweed.pc
>>>>> #usr/lib/pkgconfig/nettle.pc
>>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>>> index cc34b1fad..de7428121 100644
>>>>> --- a/lfs/nettle
>>>>> +++ b/lfs/nettle
>>>>> @@ -1,7 +1,7 @@
>>>>> ###############################################################################
>>>>> #                                                                             #
>>>>> # IPFire.org - A linux based firewall                                         #
>>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
>>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>>>>> #                                                                             #
>>>>> # This program is free software: you can redistribute it and/or modify        #
>>>>> # it under the terms of the GNU General Public License as published by        #
>>>>> @@ -24,7 +24,7 @@
>>>>> 
>>>>> include Config
>>>>> 
>>>>> -VER        = 3.5.1
>>>>> +VER        = 3.6
>>>>> 
>>>>> THISAPP    = nettle-$(VER)
>>>>> DL_FILE    = $(THISAPP).tar.gz
>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>> 
>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>> 
>>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
>>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
>>>>> 
>>>>> install : $(TARGET)
>>>>> 
>>>>> -- 
>>>>> 2.17.1
> 

Re: [PATCH] nettle: Update to 3.6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 10691 bytes --]

Hi,

Oh. This is indeed a very long list of files.

Since we are already shipping quite a bit of them, I would urge Arne to merge this into c145.

Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid).

I have no idea why cachemgr.cgi matches though.

Best,
-Michael

> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> On 13.05.2020 12:55, Michael Tremer wrote:
>> Hi,
>> 
>> I found my script!
> 
> YES! ;-)
> 
>> I have committed it to the repository and sent a patch. Please have a look.
> 
> Looked. Seems to work.
> 
> And it would have taken me much longer to write such a script. Great
> you've found it.
> 
>> I have also added a simple shortcut for make.sh.
>> 
>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library.
>> 
>> You can also pass multiple libraries at once.
> 
> I took a ride on a Core144 build with:
> 
> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7
> 
> I wanted to know which libraries would be affected by the nettle 3.6 update.
> 
> Result (I cut '/git/ipfire.../build/'):
> 
> /usr/bin/virt-admin
> /usr/bin/ivshmem-server
> /usr/bin/bsdtar
> /usr/bin/nettle-lfib-stream
> /usr/bin/qemu-i386
> /usr/bin/qemu-edid
> /usr/bin/squidclient
> /usr/bin/qemu-system-arm
> /usr/bin/qemu-arm
> /usr/bin/virt-host-validate
> /usr/bin/danetool
> /usr/bin/certtool
> /usr/bin/bsdcat
> /usr/bin/qemu-pr-helper
> /usr/bin/bsdcpio
> /usr/bin/qemu-system-x86_64
> /usr/bin/qemu-img
> /usr/bin/ping
> /usr/bin/ivshmem-client
> /usr/bin/nettle-pbkdf2
> /usr/bin/pkcs1-conv
> /usr/bin/sexp-conv
> /usr/bin/qemu-io
> /usr/bin/dnsdist
> /usr/bin/qemu-x86_64
> /usr/bin/kdig
> /usr/bin/qemu-nbd
> /usr/bin/elf2dmp
> /usr/bin/qemu-system-i386
> /usr/bin/nettle-hash
> /usr/bin/virsh
> /usr/libexec/qemu-bridge-helper
> /usr/libexec/libvirt_iohelper
> /usr/sbin/libvirtd
> /usr/sbin/virtlockd
> /usr/sbin/virtlogd
> /usr/sbin/cups-genppd.5.2
> /usr/sbin/squid
> /usr/lib/libvirt.so.0.5006.0
> /usr/lib/libvirt-admin.so.0.5006.0
> /usr/lib/libhogweed.so.5.0
> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so
> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so
> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so
> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so
> /usr/lib/libvirt/lock-driver/lockd.so
> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so
> /usr/lib/libvirt-qemu.so.0.5006.0
> /usr/lib/cups/filter/commandtocanon
> /usr/lib/cups/filter/rastertogutenprint.5.2
> /usr/lib/cups/filter/commandtoepson
> /usr/lib/cups/driver/gutenprint.5.2
> /usr/lib/squid/negotiate_wrapper_auth
> /usr/lib/squid/digest_ldap_auth
> /usr/lib/squid/ntlm_fake_auth
> /usr/lib/squid/basic_radius_auth
> /usr/lib/squid/digest_file_auth
> /usr/lib/squid/basic_ncsa_auth
> /usr/lib/squid/cachemgr.cgi
> /usr/lib/squid/digest_edirectory_auth
> /usr/lib/libgnutls.so.30.23.2
> /usr/lib/libvirt-lxc.so.0.5006.0
> /usr/lib/libarchive.so.13.4.0
> /srv/web/ipfire/cgi-bin/cachemgr.cgi
> 
> Looks like we would need a compat version?
> 
> Best,
> Matthias
> 
>> Best,
>> -Michael
>> 
>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>> 
>>> Hi,
>>> 
>>> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it.
>>> 
>>> I would recommend the following:
>>> 
>>> 1) Have a function that takes a binary name and returns whether it matches or not.
>>> 
>>> 2) Have a second function that finds all binary files and calls the function from 1).
>>> 
>>> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it.
>>> 
>>> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to.
>>> 
>>> You can run this instead:
>>> 
>>> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
>>> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
>>> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
>>> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>>> 
>>> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know.
>>> 
>>> readelf is in the binutils package.
>>> 
>>> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it.
>>> 
>>> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well.
>>> 
>>> Please feel free to ask questions :)
>>> 
>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> On 01.05.2020 15:17, Michael Tremer wrote:
>>>>> Hi,
>>>>> 
>>>>> Do we know if anything else but gnutls links against this?
>>>> 
>>>> Me: no => Please don't merge this patch.
>>>> 
>>>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.
>>>> 
>>>> You're right. IIRC, I read about a similiar problem a while ago. And it
>>>> sucks...
>>>> 
>>>> What I'm not sure about:
>>>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>>> 
>>>> ToDo:
>>>> I thought about it. I'll try to write a script that loops through (all)
>>>> binaries and throws a message if an appropriate - missing - library (in
>>>> this case: libhogweed or libnettle) was found.
>>>> 
>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>>>> [PROGRAM_NAME]', filtering the output.
>>>> 
>>>> And just in case: has anyone here ever programmed anything like this
>>>> already?
>>> 
>>> I wrote such a script when we migrated OpenSSL, but I do not have it any more :)
>>> 
>>> I should have kept it.
>>> 
>>> -Michael
>>> 
>>>> 
>>>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>>> 
>>>> Opinions?
>>>> 
>>>> Best,
>>>> Matthias
>>>> 
>>> 
>>> -Michael
>>> 
>>>>> -Michael
>>>>> 
>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>>>> 
>>>>>> For details see:
>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>>> 
>>>>>> This update also requires updating gnutls to '3.6.13'.
>>>>>> 
>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>>>> ---
>>>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>>>> lfs/nettle                     |  6 +++---
>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>>> 
>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
>>>>>> index 58e3f57a0..20a269a8b 100644
>>>>>> --- a/config/rootfiles/common/nettle
>>>>>> +++ b/config/rootfiles/common/nettle
>>>>>> @@ -23,6 +23,7 @@
>>>>>> #usr/include/nettle/cmac.h
>>>>>> #usr/include/nettle/ctr.h
>>>>>> #usr/include/nettle/curve25519.h
>>>>>> +#usr/include/nettle/curve448.h
>>>>>> #usr/include/nettle/des.h
>>>>>> #usr/include/nettle/dsa-compat.h
>>>>>> #usr/include/nettle/dsa.h
>>>>>> @@ -32,6 +33,7 @@
>>>>>> #usr/include/nettle/ecdsa.h
>>>>>> #usr/include/nettle/eddsa.h
>>>>>> #usr/include/nettle/gcm.h
>>>>>> +#usr/include/nettle/gostdsa.h
>>>>>> #usr/include/nettle/gosthash94.h
>>>>>> #usr/include/nettle/hkdf.h
>>>>>> #usr/include/nettle/hmac.h
>>>>>> @@ -61,16 +63,17 @@
>>>>>> #usr/include/nettle/sha1.h
>>>>>> #usr/include/nettle/sha2.h
>>>>>> #usr/include/nettle/sha3.h
>>>>>> +#usr/include/nettle/siv-cmac.h
>>>>>> #usr/include/nettle/twofish.h
>>>>>> #usr/include/nettle/umac.h
>>>>>> #usr/include/nettle/version.h
>>>>>> #usr/include/nettle/xts.h
>>>>>> #usr/include/nettle/yarrow.h
>>>>>> usr/lib/libhogweed.so
>>>>>> -usr/lib/libhogweed.so.5
>>>>>> -usr/lib/libhogweed.so.5.0
>>>>>> +usr/lib/libhogweed.so.6
>>>>>> +usr/lib/libhogweed.so.6.0
>>>>>> #usr/lib/libnettle.so
>>>>>> -usr/lib/libnettle.so.7
>>>>>> -usr/lib/libnettle.so.7.0
>>>>>> +usr/lib/libnettle.so.8
>>>>>> +usr/lib/libnettle.so.8.0
>>>>>> #usr/lib/pkgconfig/hogweed.pc
>>>>>> #usr/lib/pkgconfig/nettle.pc
>>>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>>>> index cc34b1fad..de7428121 100644
>>>>>> --- a/lfs/nettle
>>>>>> +++ b/lfs/nettle
>>>>>> @@ -1,7 +1,7 @@
>>>>>> ###############################################################################
>>>>>> #                                                                             #
>>>>>> # IPFire.org - A linux based firewall                                         #
>>>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
>>>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>>>>>> #                                                                             #
>>>>>> # This program is free software: you can redistribute it and/or modify        #
>>>>>> # it under the terms of the GNU General Public License as published by        #
>>>>>> @@ -24,7 +24,7 @@
>>>>>> 
>>>>>> include Config
>>>>>> 
>>>>>> -VER        = 3.5.1
>>>>>> +VER        = 3.6
>>>>>> 
>>>>>> THISAPP    = nettle-$(VER)
>>>>>> DL_FILE    = $(THISAPP).tar.gz
>>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>>> 
>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>>> 
>>>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
>>>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
>>>>>> 
>>>>>> install : $(TARGET)
>>>>>> 
>>>>>> -- 
>>>>>> 2.17.1
>> 
> 

Re: [PATCH] nettle: Update to 3.6

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 11154 bytes --]

Hi,

cachemgr.cgi is in fact an ELF binary.

I don't know why it was named 'cgi'.

Best,
Matthias

On 14.05.2020 12:43, Michael Tremer wrote:
> Hi,
> 
> Oh. This is indeed a very long list of files.
> 
> Since we are already shipping quite a bit of them, I would urge Arne to merge this into c145.
> 
> Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid).
> 
> I have no idea why cachemgr.cgi matches though.
> 
> Best,
> -Michael
> 
>> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> Hi,
>> 
>> On 13.05.2020 12:55, Michael Tremer wrote:
>>> Hi,
>>> 
>>> I found my script!
>> 
>> YES! ;-)
>> 
>>> I have committed it to the repository and sent a patch. Please have a look.
>> 
>> Looked. Seems to work.
>> 
>> And it would have taken me much longer to write such a script. Great
>> you've found it.
>> 
>>> I have also added a simple shortcut for make.sh.
>>> 
>>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library.
>>> 
>>> You can also pass multiple libraries at once.
>> 
>> I took a ride on a Core144 build with:
>> 
>> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7
>> 
>> I wanted to know which libraries would be affected by the nettle 3.6 update.
>> 
>> Result (I cut '/git/ipfire.../build/'):
>> 
>> /usr/bin/virt-admin
>> /usr/bin/ivshmem-server
>> /usr/bin/bsdtar
>> /usr/bin/nettle-lfib-stream
>> /usr/bin/qemu-i386
>> /usr/bin/qemu-edid
>> /usr/bin/squidclient
>> /usr/bin/qemu-system-arm
>> /usr/bin/qemu-arm
>> /usr/bin/virt-host-validate
>> /usr/bin/danetool
>> /usr/bin/certtool
>> /usr/bin/bsdcat
>> /usr/bin/qemu-pr-helper
>> /usr/bin/bsdcpio
>> /usr/bin/qemu-system-x86_64
>> /usr/bin/qemu-img
>> /usr/bin/ping
>> /usr/bin/ivshmem-client
>> /usr/bin/nettle-pbkdf2
>> /usr/bin/pkcs1-conv
>> /usr/bin/sexp-conv
>> /usr/bin/qemu-io
>> /usr/bin/dnsdist
>> /usr/bin/qemu-x86_64
>> /usr/bin/kdig
>> /usr/bin/qemu-nbd
>> /usr/bin/elf2dmp
>> /usr/bin/qemu-system-i386
>> /usr/bin/nettle-hash
>> /usr/bin/virsh
>> /usr/libexec/qemu-bridge-helper
>> /usr/libexec/libvirt_iohelper
>> /usr/sbin/libvirtd
>> /usr/sbin/virtlockd
>> /usr/sbin/virtlogd
>> /usr/sbin/cups-genppd.5.2
>> /usr/sbin/squid
>> /usr/lib/libvirt.so.0.5006.0
>> /usr/lib/libvirt-admin.so.0.5006.0
>> /usr/lib/libhogweed.so.5.0
>> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so
>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so
>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so
>> /usr/lib/libvirt/lock-driver/lockd.so
>> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so
>> /usr/lib/libvirt-qemu.so.0.5006.0
>> /usr/lib/cups/filter/commandtocanon
>> /usr/lib/cups/filter/rastertogutenprint.5.2
>> /usr/lib/cups/filter/commandtoepson
>> /usr/lib/cups/driver/gutenprint.5.2
>> /usr/lib/squid/negotiate_wrapper_auth
>> /usr/lib/squid/digest_ldap_auth
>> /usr/lib/squid/ntlm_fake_auth
>> /usr/lib/squid/basic_radius_auth
>> /usr/lib/squid/digest_file_auth
>> /usr/lib/squid/basic_ncsa_auth
>> /usr/lib/squid/cachemgr.cgi
>> /usr/lib/squid/digest_edirectory_auth
>> /usr/lib/libgnutls.so.30.23.2
>> /usr/lib/libvirt-lxc.so.0.5006.0
>> /usr/lib/libarchive.so.13.4.0
>> /srv/web/ipfire/cgi-bin/cachemgr.cgi
>> 
>> Looks like we would need a compat version?
>> 
>> Best,
>> Matthias
>> 
>>> Best,
>>> -Michael
>>> 
>>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it.
>>>> 
>>>> I would recommend the following:
>>>> 
>>>> 1) Have a function that takes a binary name and returns whether it matches or not.
>>>> 
>>>> 2) Have a second function that finds all binary files and calls the function from 1).
>>>> 
>>>> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it.
>>>> 
>>>> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to.
>>>> 
>>>> You can run this instead:
>>>> 
>>>> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
>>>> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
>>>> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
>>>> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>>>> 
>>>> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know.
>>>> 
>>>> readelf is in the binutils package.
>>>> 
>>>> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it.
>>>> 
>>>> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well.
>>>> 
>>>> Please feel free to ask questions :)
>>>> 
>>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> On 01.05.2020 15:17, Michael Tremer wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> Do we know if anything else but gnutls links against this?
>>>>> 
>>>>> Me: no => Please don't merge this patch.
>>>>> 
>>>>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.
>>>>> 
>>>>> You're right. IIRC, I read about a similiar problem a while ago. And it
>>>>> sucks...
>>>>> 
>>>>> What I'm not sure about:
>>>>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>>>> 
>>>>> ToDo:
>>>>> I thought about it. I'll try to write a script that loops through (all)
>>>>> binaries and throws a message if an appropriate - missing - library (in
>>>>> this case: libhogweed or libnettle) was found.
>>>>> 
>>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>>>>> [PROGRAM_NAME]', filtering the output.
>>>>> 
>>>>> And just in case: has anyone here ever programmed anything like this
>>>>> already?
>>>> 
>>>> I wrote such a script when we migrated OpenSSL, but I do not have it any more :)
>>>> 
>>>> I should have kept it.
>>>> 
>>>> -Michael
>>>> 
>>>>> 
>>>>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>>>> 
>>>>> Opinions?
>>>>> 
>>>>> Best,
>>>>> Matthias
>>>>> 
>>>> 
>>>> -Michael
>>>> 
>>>>>> -Michael
>>>>>> 
>>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>>>>> 
>>>>>>> For details see:
>>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>>>> 
>>>>>>> This update also requires updating gnutls to '3.6.13'.
>>>>>>> 
>>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>>>>> ---
>>>>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>>>>> lfs/nettle                     |  6 +++---
>>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>>>> 
>>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
>>>>>>> index 58e3f57a0..20a269a8b 100644
>>>>>>> --- a/config/rootfiles/common/nettle
>>>>>>> +++ b/config/rootfiles/common/nettle
>>>>>>> @@ -23,6 +23,7 @@
>>>>>>> #usr/include/nettle/cmac.h
>>>>>>> #usr/include/nettle/ctr.h
>>>>>>> #usr/include/nettle/curve25519.h
>>>>>>> +#usr/include/nettle/curve448.h
>>>>>>> #usr/include/nettle/des.h
>>>>>>> #usr/include/nettle/dsa-compat.h
>>>>>>> #usr/include/nettle/dsa.h
>>>>>>> @@ -32,6 +33,7 @@
>>>>>>> #usr/include/nettle/ecdsa.h
>>>>>>> #usr/include/nettle/eddsa.h
>>>>>>> #usr/include/nettle/gcm.h
>>>>>>> +#usr/include/nettle/gostdsa.h
>>>>>>> #usr/include/nettle/gosthash94.h
>>>>>>> #usr/include/nettle/hkdf.h
>>>>>>> #usr/include/nettle/hmac.h
>>>>>>> @@ -61,16 +63,17 @@
>>>>>>> #usr/include/nettle/sha1.h
>>>>>>> #usr/include/nettle/sha2.h
>>>>>>> #usr/include/nettle/sha3.h
>>>>>>> +#usr/include/nettle/siv-cmac.h
>>>>>>> #usr/include/nettle/twofish.h
>>>>>>> #usr/include/nettle/umac.h
>>>>>>> #usr/include/nettle/version.h
>>>>>>> #usr/include/nettle/xts.h
>>>>>>> #usr/include/nettle/yarrow.h
>>>>>>> usr/lib/libhogweed.so
>>>>>>> -usr/lib/libhogweed.so.5
>>>>>>> -usr/lib/libhogweed.so.5.0
>>>>>>> +usr/lib/libhogweed.so.6
>>>>>>> +usr/lib/libhogweed.so.6.0
>>>>>>> #usr/lib/libnettle.so
>>>>>>> -usr/lib/libnettle.so.7
>>>>>>> -usr/lib/libnettle.so.7.0
>>>>>>> +usr/lib/libnettle.so.8
>>>>>>> +usr/lib/libnettle.so.8.0
>>>>>>> #usr/lib/pkgconfig/hogweed.pc
>>>>>>> #usr/lib/pkgconfig/nettle.pc
>>>>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>>>>> index cc34b1fad..de7428121 100644
>>>>>>> --- a/lfs/nettle
>>>>>>> +++ b/lfs/nettle
>>>>>>> @@ -1,7 +1,7 @@
>>>>>>> ###############################################################################
>>>>>>> #                                                                             #
>>>>>>> # IPFire.org - A linux based firewall                                         #
>>>>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
>>>>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>>>>>>> #                                                                             #
>>>>>>> # This program is free software: you can redistribute it and/or modify        #
>>>>>>> # it under the terms of the GNU General Public License as published by        #
>>>>>>> @@ -24,7 +24,7 @@
>>>>>>> 
>>>>>>> include Config
>>>>>>> 
>>>>>>> -VER        = 3.5.1
>>>>>>> +VER        = 3.6
>>>>>>> 
>>>>>>> THISAPP    = nettle-$(VER)
>>>>>>> DL_FILE    = $(THISAPP).tar.gz
>>>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>>>> 
>>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>>>> 
>>>>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
>>>>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
>>>>>>> 
>>>>>>> install : $(TARGET)
>>>>>>> 
>>>>>>> -- 
>>>>>>> 2.17.1
>>> 
>> 
> 

Re: [PATCH] nettle: Update to 3.6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 11569 bytes --]

Oh.

> On 14 May 2020, at 12:35, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> cachemgr.cgi is in fact an ELF binary.
> 
> I don't know why it was named 'cgi'.
> 
> Best,
> Matthias
> 
> On 14.05.2020 12:43, Michael Tremer wrote:
>> Hi,
>> 
>> Oh. This is indeed a very long list of files.
>> 
>> Since we are already shipping quite a bit of them, I would urge Arne to merge this into c145.
>> 
>> Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid).
>> 
>> I have no idea why cachemgr.cgi matches though.
>> 
>> Best,
>> -Michael
>> 
>>> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>> 
>>> Hi,
>>> 
>>> On 13.05.2020 12:55, Michael Tremer wrote:
>>>> Hi,
>>>> 
>>>> I found my script!
>>> 
>>> YES! ;-)
>>> 
>>>> I have committed it to the repository and sent a patch. Please have a look.
>>> 
>>> Looked. Seems to work.
>>> 
>>> And it would have taken me much longer to write such a script. Great
>>> you've found it.
>>> 
>>>> I have also added a simple shortcut for make.sh.
>>>> 
>>>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library.
>>>> 
>>>> You can also pass multiple libraries at once.
>>> 
>>> I took a ride on a Core144 build with:
>>> 
>>> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7
>>> 
>>> I wanted to know which libraries would be affected by the nettle 3.6 update.
>>> 
>>> Result (I cut '/git/ipfire.../build/'):
>>> 
>>> /usr/bin/virt-admin
>>> /usr/bin/ivshmem-server
>>> /usr/bin/bsdtar
>>> /usr/bin/nettle-lfib-stream
>>> /usr/bin/qemu-i386
>>> /usr/bin/qemu-edid
>>> /usr/bin/squidclient
>>> /usr/bin/qemu-system-arm
>>> /usr/bin/qemu-arm
>>> /usr/bin/virt-host-validate
>>> /usr/bin/danetool
>>> /usr/bin/certtool
>>> /usr/bin/bsdcat
>>> /usr/bin/qemu-pr-helper
>>> /usr/bin/bsdcpio
>>> /usr/bin/qemu-system-x86_64
>>> /usr/bin/qemu-img
>>> /usr/bin/ping
>>> /usr/bin/ivshmem-client
>>> /usr/bin/nettle-pbkdf2
>>> /usr/bin/pkcs1-conv
>>> /usr/bin/sexp-conv
>>> /usr/bin/qemu-io
>>> /usr/bin/dnsdist
>>> /usr/bin/qemu-x86_64
>>> /usr/bin/kdig
>>> /usr/bin/qemu-nbd
>>> /usr/bin/elf2dmp
>>> /usr/bin/qemu-system-i386
>>> /usr/bin/nettle-hash
>>> /usr/bin/virsh
>>> /usr/libexec/qemu-bridge-helper
>>> /usr/libexec/libvirt_iohelper
>>> /usr/sbin/libvirtd
>>> /usr/sbin/virtlockd
>>> /usr/sbin/virtlogd
>>> /usr/sbin/cups-genppd.5.2
>>> /usr/sbin/squid
>>> /usr/lib/libvirt.so.0.5006.0
>>> /usr/lib/libvirt-admin.so.0.5006.0
>>> /usr/lib/libhogweed.so.5.0
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so
>>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so
>>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so
>>> /usr/lib/libvirt/lock-driver/lockd.so
>>> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so
>>> /usr/lib/libvirt-qemu.so.0.5006.0
>>> /usr/lib/cups/filter/commandtocanon
>>> /usr/lib/cups/filter/rastertogutenprint.5.2
>>> /usr/lib/cups/filter/commandtoepson
>>> /usr/lib/cups/driver/gutenprint.5.2
>>> /usr/lib/squid/negotiate_wrapper_auth
>>> /usr/lib/squid/digest_ldap_auth
>>> /usr/lib/squid/ntlm_fake_auth
>>> /usr/lib/squid/basic_radius_auth
>>> /usr/lib/squid/digest_file_auth
>>> /usr/lib/squid/basic_ncsa_auth
>>> /usr/lib/squid/cachemgr.cgi
>>> /usr/lib/squid/digest_edirectory_auth
>>> /usr/lib/libgnutls.so.30.23.2
>>> /usr/lib/libvirt-lxc.so.0.5006.0
>>> /usr/lib/libarchive.so.13.4.0
>>> /srv/web/ipfire/cgi-bin/cachemgr.cgi
>>> 
>>> Looks like we would need a compat version?
>>> 
>>> Best,
>>> Matthias
>>> 
>>>> Best,
>>>> -Michael
>>>> 
>>>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it.
>>>>> 
>>>>> I would recommend the following:
>>>>> 
>>>>> 1) Have a function that takes a binary name and returns whether it matches or not.
>>>>> 
>>>>> 2) Have a second function that finds all binary files and calls the function from 1).
>>>>> 
>>>>> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it.
>>>>> 
>>>>> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to.
>>>>> 
>>>>> You can run this instead:
>>>>> 
>>>>> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED
>>>>> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
>>>>> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
>>>>> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>>>>> 
>>>>> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know.
>>>>> 
>>>>> readelf is in the binutils package.
>>>>> 
>>>>> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it.
>>>>> 
>>>>> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well.
>>>>> 
>>>>> Please feel free to ask questions :)
>>>>> 
>>>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> On 01.05.2020 15:17, Michael Tremer wrote:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> Do we know if anything else but gnutls links against this?
>>>>>> 
>>>>>> Me: no => Please don't merge this patch.
>>>>>> 
>>>>>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.
>>>>>> 
>>>>>> You're right. IIRC, I read about a similiar problem a while ago. And it
>>>>>> sucks...
>>>>>> 
>>>>>> What I'm not sure about:
>>>>>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>>>>> 
>>>>>> ToDo:
>>>>>> I thought about it. I'll try to write a script that loops through (all)
>>>>>> binaries and throws a message if an appropriate - missing - library (in
>>>>>> this case: libhogweed or libnettle) was found.
>>>>>> 
>>>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>>>>>> [PROGRAM_NAME]', filtering the output.
>>>>>> 
>>>>>> And just in case: has anyone here ever programmed anything like this
>>>>>> already?
>>>>> 
>>>>> I wrote such a script when we migrated OpenSSL, but I do not have it any more :)
>>>>> 
>>>>> I should have kept it.
>>>>> 
>>>>> -Michael
>>>>> 
>>>>>> 
>>>>>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>>>>> 
>>>>>> Opinions?
>>>>>> 
>>>>>> Best,
>>>>>> Matthias
>>>>>> 
>>>>> 
>>>>> -Michael
>>>>> 
>>>>>>> -Michael
>>>>>>> 
>>>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>>>>>> 
>>>>>>>> For details see:
>>>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>>>>> 
>>>>>>>> This update also requires updating gnutls to '3.6.13'.
>>>>>>>> 
>>>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>>>>>> ---
>>>>>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>>>>>> lfs/nettle                     |  6 +++---
>>>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>>>>> 
>>>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle
>>>>>>>> index 58e3f57a0..20a269a8b 100644
>>>>>>>> --- a/config/rootfiles/common/nettle
>>>>>>>> +++ b/config/rootfiles/common/nettle
>>>>>>>> @@ -23,6 +23,7 @@
>>>>>>>> #usr/include/nettle/cmac.h
>>>>>>>> #usr/include/nettle/ctr.h
>>>>>>>> #usr/include/nettle/curve25519.h
>>>>>>>> +#usr/include/nettle/curve448.h
>>>>>>>> #usr/include/nettle/des.h
>>>>>>>> #usr/include/nettle/dsa-compat.h
>>>>>>>> #usr/include/nettle/dsa.h
>>>>>>>> @@ -32,6 +33,7 @@
>>>>>>>> #usr/include/nettle/ecdsa.h
>>>>>>>> #usr/include/nettle/eddsa.h
>>>>>>>> #usr/include/nettle/gcm.h
>>>>>>>> +#usr/include/nettle/gostdsa.h
>>>>>>>> #usr/include/nettle/gosthash94.h
>>>>>>>> #usr/include/nettle/hkdf.h
>>>>>>>> #usr/include/nettle/hmac.h
>>>>>>>> @@ -61,16 +63,17 @@
>>>>>>>> #usr/include/nettle/sha1.h
>>>>>>>> #usr/include/nettle/sha2.h
>>>>>>>> #usr/include/nettle/sha3.h
>>>>>>>> +#usr/include/nettle/siv-cmac.h
>>>>>>>> #usr/include/nettle/twofish.h
>>>>>>>> #usr/include/nettle/umac.h
>>>>>>>> #usr/include/nettle/version.h
>>>>>>>> #usr/include/nettle/xts.h
>>>>>>>> #usr/include/nettle/yarrow.h
>>>>>>>> usr/lib/libhogweed.so
>>>>>>>> -usr/lib/libhogweed.so.5
>>>>>>>> -usr/lib/libhogweed.so.5.0
>>>>>>>> +usr/lib/libhogweed.so.6
>>>>>>>> +usr/lib/libhogweed.so.6.0
>>>>>>>> #usr/lib/libnettle.so
>>>>>>>> -usr/lib/libnettle.so.7
>>>>>>>> -usr/lib/libnettle.so.7.0
>>>>>>>> +usr/lib/libnettle.so.8
>>>>>>>> +usr/lib/libnettle.so.8.0
>>>>>>>> #usr/lib/pkgconfig/hogweed.pc
>>>>>>>> #usr/lib/pkgconfig/nettle.pc
>>>>>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>>>>>> index cc34b1fad..de7428121 100644
>>>>>>>> --- a/lfs/nettle
>>>>>>>> +++ b/lfs/nettle
>>>>>>>> @@ -1,7 +1,7 @@
>>>>>>>> ###############################################################################
>>>>>>>> #                                                                             #
>>>>>>>> # IPFire.org - A linux based firewall                                         #
>>>>>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
>>>>>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>>>>>>>> #                                                                             #
>>>>>>>> # This program is free software: you can redistribute it and/or modify        #
>>>>>>>> # it under the terms of the GNU General Public License as published by        #
>>>>>>>> @@ -24,7 +24,7 @@
>>>>>>>> 
>>>>>>>> include Config
>>>>>>>> 
>>>>>>>> -VER        = 3.5.1
>>>>>>>> +VER        = 3.6
>>>>>>>> 
>>>>>>>> THISAPP    = nettle-$(VER)
>>>>>>>> DL_FILE    = $(THISAPP).tar.gz
>>>>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>>>>> 
>>>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>>>>> 
>>>>>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86
>>>>>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a
>>>>>>>> 
>>>>>>>> install : $(TARGET)
>>>>>>>> 
>>>>>>>> -- 
>>>>>>>> 2.17.1
>>>> 
>>> 
>> 
>