Le 28 juillet 2011 08:53:23 Dave Reisner a écrit : > On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote: > > This morning when Ionut was trying to update gtk3, he noticed that the > > CUPS print backend would pull in libgcrypt, which is no longer needed, > > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > > quickly resolved with a short patch from Fedora. > > > > After fixing CUPS, we found out that CUPS would pull in a lot of other > > libraries and weird CFLAGS in the cups-config output: > > > > $ cups-config --libs > > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0 > > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > > flags don't come from CUPS, but from krb5: > > > > CFLAGS=test krb5-config --libs > > $ CFLAGS=test krb5-config --libs > > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err > > -lkeyutils -lresolv -ldl > > > > So it turns out krb5-config is plain wrong here. Fedora has a patch for > > this: > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-bui > > ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD > > > > Another quite useful patch would be this: > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodep > > libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD > > > > I'm not sure about the whole library fixup things they're doing in the > > first patch, but most important will be the first section of the part > > that is applied to krb5-config.in. > > > > OK to apply this? As krb5 is a dependency of quite some packages, this > > would reduce lots of unneeded libs those packages. > > The second patch makes sense to me -- if we don't fix this, we'll have > to add all these useless deps to the packaging. The first patch mostly > just looks like standard hardening that Fedora does. I wouldn't be > opposed to this, pending Allan's input since we're looking at a global > rebuild in the near future (pacman4). I know that he's planning to > enable relro and PIE, but not -z,now iirc. > > dave
It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the other one is just hardening stuff and it is not necessary at this time. I will prepare an update later today. Thanks for reporting this. Stéphane
