From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] nettle: Update to 3.6
Date: Thu, 14 May 2020 12:37:38 +0100
Message-ID: <C3816070-A841-41F4-8806-0C196BD4A8FA@ipfire.org>
In-Reply-To: <92953306-e798-33fd-dd4c-558ce4dea90f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2031158161348730088=="
List-Id: <development.lists.ipfire.org>

--===============2031158161348730088==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Oh.

> On 14 May 2020, at 12:35, Matthias Fischer <matthias.fischer(a)ipfire.org> =
wrote:
>=20
> Hi,
>=20
> cachemgr.cgi is in fact an ELF binary.
>=20
> I don't know why it was named 'cgi'.
>=20
> Best,
> Matthias
>=20
> On 14.05.2020 12:43, Michael Tremer wrote:
>> Hi,
>>=20
>> Oh. This is indeed a very long list of files.
>>=20
>> Since we are already shipping quite a bit of them, I would urge Arne to me=
rge this into c145.
>>=20
>> Most of the files listed below are from add-ons (libvirt, Qemu, cups, squi=
d).
>>=20
>> I have no idea why cachemgr.cgi matches though.
>>=20
>> Best,
>> -Michael
>>=20
>>> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer(a)ipfire.org=
> wrote:
>>>=20
>>> Hi,
>>>=20
>>> On 13.05.2020 12:55, Michael Tremer wrote:
>>>> Hi,
>>>>=20
>>>> I found my script!
>>>=20
>>> YES! ;-)
>>>=20
>>>> I have committed it to the repository and sent a patch. Please have a lo=
ok.
>>>=20
>>> Looked. Seems to work.
>>>=20
>>> And it would have taken me much longer to write such a script. Great
>>> you've found it.
>>>=20
>>>> I have also added a simple shortcut for make.sh.
>>>>=20
>>>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you whic=
h binary links to this library.
>>>>=20
>>>> You can also pass multiple libraries at once.
>>>=20
>>> I took a ride on a Core144 build with:
>>>=20
>>> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7
>>>=20
>>> I wanted to know which libraries would be affected by the nettle 3.6 upda=
te.
>>>=20
>>> Result (I cut '/git/ipfire.../build/'):
>>>=20
>>> /usr/bin/virt-admin
>>> /usr/bin/ivshmem-server
>>> /usr/bin/bsdtar
>>> /usr/bin/nettle-lfib-stream
>>> /usr/bin/qemu-i386
>>> /usr/bin/qemu-edid
>>> /usr/bin/squidclient
>>> /usr/bin/qemu-system-arm
>>> /usr/bin/qemu-arm
>>> /usr/bin/virt-host-validate
>>> /usr/bin/danetool
>>> /usr/bin/certtool
>>> /usr/bin/bsdcat
>>> /usr/bin/qemu-pr-helper
>>> /usr/bin/bsdcpio
>>> /usr/bin/qemu-system-x86_64
>>> /usr/bin/qemu-img
>>> /usr/bin/ping
>>> /usr/bin/ivshmem-client
>>> /usr/bin/nettle-pbkdf2
>>> /usr/bin/pkcs1-conv
>>> /usr/bin/sexp-conv
>>> /usr/bin/qemu-io
>>> /usr/bin/dnsdist
>>> /usr/bin/qemu-x86_64
>>> /usr/bin/kdig
>>> /usr/bin/qemu-nbd
>>> /usr/bin/elf2dmp
>>> /usr/bin/qemu-system-i386
>>> /usr/bin/nettle-hash
>>> /usr/bin/virsh
>>> /usr/libexec/qemu-bridge-helper
>>> /usr/libexec/libvirt_iohelper
>>> /usr/sbin/libvirtd
>>> /usr/sbin/virtlockd
>>> /usr/sbin/virtlogd
>>> /usr/sbin/cups-genppd.5.2
>>> /usr/sbin/squid
>>> /usr/lib/libvirt.so.0.5006.0
>>> /usr/lib/libvirt-admin.so.0.5006.0
>>> /usr/lib/libhogweed.so.5.0
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so
>>> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so
>>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so
>>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so
>>> /usr/lib/libvirt/lock-driver/lockd.so
>>> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so
>>> /usr/lib/libvirt-qemu.so.0.5006.0
>>> /usr/lib/cups/filter/commandtocanon
>>> /usr/lib/cups/filter/rastertogutenprint.5.2
>>> /usr/lib/cups/filter/commandtoepson
>>> /usr/lib/cups/driver/gutenprint.5.2
>>> /usr/lib/squid/negotiate_wrapper_auth
>>> /usr/lib/squid/digest_ldap_auth
>>> /usr/lib/squid/ntlm_fake_auth
>>> /usr/lib/squid/basic_radius_auth
>>> /usr/lib/squid/digest_file_auth
>>> /usr/lib/squid/basic_ncsa_auth
>>> /usr/lib/squid/cachemgr.cgi
>>> /usr/lib/squid/digest_edirectory_auth
>>> /usr/lib/libgnutls.so.30.23.2
>>> /usr/lib/libvirt-lxc.so.0.5006.0
>>> /usr/lib/libarchive.so.13.4.0
>>> /srv/web/ipfire/cgi-bin/cachemgr.cgi
>>>=20
>>> Looks like we would need a compat version?
>>>=20
>>> Best,
>>> Matthias
>>>=20
>>>> Best,
>>>> -Michael
>>>>=20
>>>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> w=
rote:
>>>>>=20
>>>>> Hi,
>>>>>=20
>>>>> Yes, I think that it would be a good idea to add a script to tools/ tha=
t takes a library name and returns a list of all files (with potentially even=
 the package name) so that we can quickly find out what linked against it.
>>>>>=20
>>>>> I would recommend the following:
>>>>>=20
>>>>> 1) Have a function that takes a binary name and returns whether it matc=
hes or not.
>>>>>=20
>>>>> 2) Have a second function that finds all binary files and calls the fun=
ction from 1).
>>>>>=20
>>>>> You can then either collect the file list and scan the root files later=
 to find what package that file is in and simply list the package names in th=
e end. But I guess that is probably already a stretch goal and a first versio=
n of the script does not need it.
>>>>>=20
>>>>> I would recommend using readelf instead of ldd, because ldd runs the ru=
ntime linker and lists all libraries that were pulled in. That means that if =
you have a command /bin/command which links again liba.so and liba.so links a=
gainst libb.so, then ldd lists both libraries. We might ship more files then =
than we need to.
>>>>>=20
>>>>> You can run this instead:
>>>>>=20
>>>>> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NE=
EDED
>>>>> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
>>>>> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
>>>>> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>>>>>=20
>>>>> These are all libraries that /bin/bash needs directly on my system, and=
 that is what we want to know.
>>>>>=20
>>>>> readelf is in the binutils package.
>>>>>=20
>>>>> We could later add a command to make.sh that mounts the chroot environm=
ent and then runs the script inside it.
>>>>>=20
>>>>> For performance I would recommend using find to search for binary files=
. You will probably have to scan everything, but should only consider files t=
hat are executable. We should not have any binaries that are not executable. =
The script might indeed run for a little moment, but readelf should already b=
e much quicker than ldd, because it will only parse one file and not all link=
ed libraries as well.
>>>>>=20
>>>>> Please feel free to ask questions :)
>>>>>=20
>>>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.o=
rg> wrote:
>>>>>>=20
>>>>>> Hi,
>>>>>>=20
>>>>>> On 01.05.2020 15:17, Michael Tremer wrote:
>>>>>>> Hi,
>>>>>>>=20
>>>>>>> Do we know if anything else but gnutls links against this?
>>>>>>=20
>>>>>> Me: no =3D> Please don't merge this patch.
>>>>>>=20
>>>>>>> The library so version has been bumped, and we might need a compat-ve=
rsion if we can. Or potentially symlinks.
>>>>>>=20
>>>>>> You're right. IIRC, I read about a similiar problem a while ago. And it
>>>>>> sucks...
>>>>>>=20
>>>>>> What I'm not sure about:
>>>>>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>>>>>=20
>>>>>> ToDo:
>>>>>> I thought about it. I'll try to write a script that loops through (all)
>>>>>> binaries and throws a message if an appropriate - missing - library (in
>>>>>> this case: libhogweed or libnettle) was found.
>>>>>>=20
>>>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>>>>>> [PROGRAM_NAME]', filtering the output.
>>>>>>=20
>>>>>> And just in case: has anyone here ever programmed anything like this
>>>>>> already?
>>>>>=20
>>>>> I wrote such a script when we migrated OpenSSL, but I do not have it an=
y more :)
>>>>>=20
>>>>> I should have kept it.
>>>>>=20
>>>>> -Michael
>>>>>=20
>>>>>>=20
>>>>>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>>>>>=20
>>>>>> Opinions?
>>>>>>=20
>>>>>> Best,
>>>>>> Matthias
>>>>>>=20
>>>>>=20
>>>>> -Michael
>>>>>=20
>>>>>>> -Michael
>>>>>>>=20
>>>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire=
.org> wrote:
>>>>>>>>=20
>>>>>>>> For details see:
>>>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>>>>>=20
>>>>>>>> This update also requires updating gnutls to '3.6.13'.
>>>>>>>>=20
>>>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>>>>>> ---
>>>>>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>>>>>> lfs/nettle                     |  6 +++---
>>>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>>>>>=20
>>>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/commo=
n/nettle
>>>>>>>> index 58e3f57a0..20a269a8b 100644
>>>>>>>> --- a/config/rootfiles/common/nettle
>>>>>>>> +++ b/config/rootfiles/common/nettle
>>>>>>>> @@ -23,6 +23,7 @@
>>>>>>>> #usr/include/nettle/cmac.h
>>>>>>>> #usr/include/nettle/ctr.h
>>>>>>>> #usr/include/nettle/curve25519.h
>>>>>>>> +#usr/include/nettle/curve448.h
>>>>>>>> #usr/include/nettle/des.h
>>>>>>>> #usr/include/nettle/dsa-compat.h
>>>>>>>> #usr/include/nettle/dsa.h
>>>>>>>> @@ -32,6 +33,7 @@
>>>>>>>> #usr/include/nettle/ecdsa.h
>>>>>>>> #usr/include/nettle/eddsa.h
>>>>>>>> #usr/include/nettle/gcm.h
>>>>>>>> +#usr/include/nettle/gostdsa.h
>>>>>>>> #usr/include/nettle/gosthash94.h
>>>>>>>> #usr/include/nettle/hkdf.h
>>>>>>>> #usr/include/nettle/hmac.h
>>>>>>>> @@ -61,16 +63,17 @@
>>>>>>>> #usr/include/nettle/sha1.h
>>>>>>>> #usr/include/nettle/sha2.h
>>>>>>>> #usr/include/nettle/sha3.h
>>>>>>>> +#usr/include/nettle/siv-cmac.h
>>>>>>>> #usr/include/nettle/twofish.h
>>>>>>>> #usr/include/nettle/umac.h
>>>>>>>> #usr/include/nettle/version.h
>>>>>>>> #usr/include/nettle/xts.h
>>>>>>>> #usr/include/nettle/yarrow.h
>>>>>>>> usr/lib/libhogweed.so
>>>>>>>> -usr/lib/libhogweed.so.5
>>>>>>>> -usr/lib/libhogweed.so.5.0
>>>>>>>> +usr/lib/libhogweed.so.6
>>>>>>>> +usr/lib/libhogweed.so.6.0
>>>>>>>> #usr/lib/libnettle.so
>>>>>>>> -usr/lib/libnettle.so.7
>>>>>>>> -usr/lib/libnettle.so.7.0
>>>>>>>> +usr/lib/libnettle.so.8
>>>>>>>> +usr/lib/libnettle.so.8.0
>>>>>>>> #usr/lib/pkgconfig/hogweed.pc
>>>>>>>> #usr/lib/pkgconfig/nettle.pc
>>>>>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>>>>>> index cc34b1fad..de7428121 100644
>>>>>>>> --- a/lfs/nettle
>>>>>>>> +++ b/lfs/nettle
>>>>>>>> @@ -1,7 +1,7 @@
>>>>>>>> ####################################################################=
###########
>>>>>>>> #                                                                   =
          #
>>>>>>>> # IPFire.org - A linux based firewall                               =
          #
>>>>>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>        =
             #
>>>>>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>        =
             #
>>>>>>>> #                                                                   =
          #
>>>>>>>> # This program is free software: you can redistribute it and/or modi=
fy        #
>>>>>>>> # it under the terms of the GNU General Public License as published =
by        #
>>>>>>>> @@ -24,7 +24,7 @@
>>>>>>>>=20
>>>>>>>> include Config
>>>>>>>>=20
>>>>>>>> -VER        =3D 3.5.1
>>>>>>>> +VER        =3D 3.6
>>>>>>>>=20
>>>>>>>> THISAPP    =3D nettle-$(VER)
>>>>>>>> DL_FILE    =3D $(THISAPP).tar.gz
>>>>>>>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>>>>>>>>=20
>>>>>>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>>>>>>=20
>>>>>>>> -$(DL_FILE)_MD5 =3D 0e5707b418c3826768d41130fbe4ee86
>>>>>>>> +$(DL_FILE)_MD5 =3D c45ee24ed7361dcda152a035d396fe8a
>>>>>>>>=20
>>>>>>>> install : $(TARGET)
>>>>>>>>=20
>>>>>>>> --=20
>>>>>>>> 2.17.1
>>>>=20
>>>=20
>>=20
>=20


--===============2031158161348730088==--