On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote: > This morning when Ionut was trying to update gtk3, he noticed that the > CUPS print backend would pull in libgcrypt, which is no longer needed, > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > quickly resolved with a short patch from Fedora. > > After fixing CUPS, we found out that CUPS would pull in a lot of other > libraries and weird CFLAGS in the cups-config output: > > $ cups-config --libs > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > flags don't come from CUPS, but from krb5: > > CFLAGS=test krb5-config --libs > $ CFLAGS=test krb5-config --libs > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err > -lkeyutils -lresolv -ldl > > So it turns out krb5-config is plain wrong here. Fedora has a patch for > this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD > > Another quite useful patch would be this: > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD > > I'm not sure about the whole library fixup things they're doing in the > first patch, but most important will be the first section of the part > that is applied to krb5-config.in. > > OK to apply this? As krb5 is a dependency of quite some packages, this > would reduce lots of unneeded libs those packages. > >
The second patch makes sense to me -- if we don't fix this, we'll have to add all these useless deps to the packaging. The first patch mostly just looks like standard hardening that Fedora does. I wouldn't be opposed to this, pending Allan's input since we're looking at a global rebuild in the near future (pacman4). I know that he's planning to enable relro and PIE, but not -z,now iirc. dave
