Oh.
On 14 May 2020, at 12:35, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
cachemgr.cgi is in fact an ELF binary.
I don't know why it was named 'cgi'.
Best, Matthias
On 14.05.2020 12:43, Michael Tremer wrote:
Hi,
Oh. This is indeed a very long list of files.
Since we are already shipping quite a bit of them, I would urge Arne to merge this into c145.
Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid).
I have no idea why cachemgr.cgi matches though.
Best, -Michael
On 13 May 2020, at 22:37, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
On 13.05.2020 12:55, Michael Tremer wrote:
Hi,
I found my script!
YES! ;-)
I have committed it to the repository and sent a patch. Please have a look.
Looked. Seems to work.
And it would have taken me much longer to write such a script. Great you've found it.
I have also added a simple shortcut for make.sh.
So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library.
You can also pass multiple libraries at once.
I took a ride on a Core144 build with:
./make.sh find-dependencies libhogweed.so.5 libnettle.so.7
I wanted to know which libraries would be affected by the nettle 3.6 update.
Result (I cut '/git/ipfire.../build/'):
/usr/bin/virt-admin /usr/bin/ivshmem-server /usr/bin/bsdtar /usr/bin/nettle-lfib-stream /usr/bin/qemu-i386 /usr/bin/qemu-edid /usr/bin/squidclient /usr/bin/qemu-system-arm /usr/bin/qemu-arm /usr/bin/virt-host-validate /usr/bin/danetool /usr/bin/certtool /usr/bin/bsdcat /usr/bin/qemu-pr-helper /usr/bin/bsdcpio /usr/bin/qemu-system-x86_64 /usr/bin/qemu-img /usr/bin/ping /usr/bin/ivshmem-client /usr/bin/nettle-pbkdf2 /usr/bin/pkcs1-conv /usr/bin/sexp-conv /usr/bin/qemu-io /usr/bin/dnsdist /usr/bin/qemu-x86_64 /usr/bin/kdig /usr/bin/qemu-nbd /usr/bin/elf2dmp /usr/bin/qemu-system-i386 /usr/bin/nettle-hash /usr/bin/virsh /usr/libexec/qemu-bridge-helper /usr/libexec/libvirt_iohelper /usr/sbin/libvirtd /usr/sbin/virtlockd /usr/sbin/virtlogd /usr/sbin/cups-genppd.5.2 /usr/sbin/squid /usr/lib/libvirt.so.0.5006.0 /usr/lib/libvirt-admin.so.0.5006.0 /usr/lib/libhogweed.so.5.0 /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so /usr/lib/libvirt/lock-driver/lockd.so /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so /usr/lib/libvirt-qemu.so.0.5006.0 /usr/lib/cups/filter/commandtocanon /usr/lib/cups/filter/rastertogutenprint.5.2 /usr/lib/cups/filter/commandtoepson /usr/lib/cups/driver/gutenprint.5.2 /usr/lib/squid/negotiate_wrapper_auth /usr/lib/squid/digest_ldap_auth /usr/lib/squid/ntlm_fake_auth /usr/lib/squid/basic_radius_auth /usr/lib/squid/digest_file_auth /usr/lib/squid/basic_ncsa_auth /usr/lib/squid/cachemgr.cgi /usr/lib/squid/digest_edirectory_auth /usr/lib/libgnutls.so.30.23.2 /usr/lib/libvirt-lxc.so.0.5006.0 /usr/lib/libarchive.so.13.4.0 /srv/web/ipfire/cgi-bin/cachemgr.cgi
Looks like we would need a compat version?
Best, Matthias
Best, -Michael
On 4 May 2020, at 15:32, Michael Tremer michael.tremer@ipfire.org wrote:
Hi,
Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it.
I would recommend the following:
Have a function that takes a binary name and returns whether it matches or not.
Have a second function that finds all binary files and calls the function from 1).
You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it.
I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to.
You can run this instead:
root@michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
These are all libraries that /bin/bash needs directly on my system, and that is what we want to know.
readelf is in the binutils package.
We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it.
For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well.
Please feel free to ask questions :)
On 2 May 2020, at 09:53, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
On 01.05.2020 15:17, Michael Tremer wrote: > Hi, > > Do we know if anything else but gnutls links against this?
Me: no => Please don't merge this patch.
> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks.
You're right. IIRC, I read about a similiar problem a while ago. And it sucks...
What I'm not sure about: Would testing all binaries one by one with 'ldd' be sufficient enough?
ToDo: I thought about it. I'll try to write a script that loops through (all) binaries and throws a message if an appropriate - missing - library (in this case: libhogweed or libnettle) was found.
I'm thinking about something with a "for-while-do-loop", using 'ldd [PROGRAM_NAME]', filtering the output.
And just in case: has anyone here ever programmed anything like this already?
I wrote such a script when we migrated OpenSSL, but I do not have it any more :)
I should have kept it.
-Michael
I don't want to "reinvent the wheel" unnecessarily... ;-)
Opinions?
Best, Matthias
-Michael
> -Michael > >> On 1 May 2020, at 11:54, Matthias Fischer matthias.fischer@ipfire.org wrote: >> >> For details see: >> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >> >> This update also requires updating gnutls to '3.6.13'. >> >> Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org >> --- >> config/rootfiles/common/nettle | 11 +++++++---- >> lfs/nettle | 6 +++--- >> 2 files changed, 10 insertions(+), 7 deletions(-) >> >> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >> index 58e3f57a0..20a269a8b 100644 >> --- a/config/rootfiles/common/nettle >> +++ b/config/rootfiles/common/nettle >> @@ -23,6 +23,7 @@ >> #usr/include/nettle/cmac.h >> #usr/include/nettle/ctr.h >> #usr/include/nettle/curve25519.h >> +#usr/include/nettle/curve448.h >> #usr/include/nettle/des.h >> #usr/include/nettle/dsa-compat.h >> #usr/include/nettle/dsa.h >> @@ -32,6 +33,7 @@ >> #usr/include/nettle/ecdsa.h >> #usr/include/nettle/eddsa.h >> #usr/include/nettle/gcm.h >> +#usr/include/nettle/gostdsa.h >> #usr/include/nettle/gosthash94.h >> #usr/include/nettle/hkdf.h >> #usr/include/nettle/hmac.h >> @@ -61,16 +63,17 @@ >> #usr/include/nettle/sha1.h >> #usr/include/nettle/sha2.h >> #usr/include/nettle/sha3.h >> +#usr/include/nettle/siv-cmac.h >> #usr/include/nettle/twofish.h >> #usr/include/nettle/umac.h >> #usr/include/nettle/version.h >> #usr/include/nettle/xts.h >> #usr/include/nettle/yarrow.h >> usr/lib/libhogweed.so >> -usr/lib/libhogweed.so.5 >> -usr/lib/libhogweed.so.5.0 >> +usr/lib/libhogweed.so.6 >> +usr/lib/libhogweed.so.6.0 >> #usr/lib/libnettle.so >> -usr/lib/libnettle.so.7 >> -usr/lib/libnettle.so.7.0 >> +usr/lib/libnettle.so.8 >> +usr/lib/libnettle.so.8.0 >> #usr/lib/pkgconfig/hogweed.pc >> #usr/lib/pkgconfig/nettle.pc >> diff --git a/lfs/nettle b/lfs/nettle >> index cc34b1fad..de7428121 100644 >> --- a/lfs/nettle >> +++ b/lfs/nettle >> @@ -1,7 +1,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # >> +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER = 3.5.1 >> +VER = 3.6 >> >> THISAPP = nettle-$(VER) >> DL_FILE = $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >> >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >> >> install : $(TARGET) >> >> -- >> 2.17.1