Le 28 juillet 2011 11:17:48 Stéphane Gaudreault a écrit : > Le 28 juillet 2011 08:53:23 Dave Reisner a écrit : > > On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote: > > > This morning when Ionut was trying to update gtk3, he noticed that > > > the > > > CUPS print backend would pull in libgcrypt, which is no longer > > > needed, > > > as GnuTLS depends on nettle now instead of libgcrypt. This bug was > > > quickly resolved with a short patch from Fedora. > > > > > > After fixing CUPS, we found out that CUPS would pull in a lot of > > > other > > > libraries and weird CFLAGS in the cups-config output: > > > > > > $ cups-config --libs > > > -lcups -march=x86-64 -mtune=generic -O2 -pipe > > > -I/usr/include/dbus-1.0 > > > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE > > > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto > > > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt > > > > > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These > > > flags don't come from CUPS, but from krb5: > > > > > > CFLAGS=test krb5-config --libs > > > $ CFLAGS=test krb5-config --libs > > > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto > > > -lcom_err > > > -lkeyutils -lresolv -ldl > > > > > > So it turns out krb5-config is plain wrong here. Fedora has a patch > > > for > > > this: > > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1 > > > -bui ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD > > > > > > Another quite useful patch would be this: > > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-n > > > odep libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD > > > > > > I'm not sure about the whole library fixup things they're doing in > > > the > > > first patch, but most important will be the first section of the > > > part > > > that is applied to krb5-config.in. > > > > > > OK to apply this? As krb5 is a dependency of quite some packages, > > > this > > > would reduce lots of unneeded libs those packages. > > > > The second patch makes sense to me -- if we don't fix this, we'll have > > to add all these useless deps to the packaging. The first patch mostly > > just looks like standard hardening that Fedora does. I wouldn't be > > opposed to this, pending Allan's input since we're looking at a global > > rebuild in the near future (pacman4). I know that he's planning to > > enable relro and PIE, but not -z,now iirc. > > > > dave > > It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned > the other one is just hardening stuff and it is not necessary at this time. > I will prepare an update later today. > > Thanks for reporting this. > > Stéphane
Patched krb5 gives # krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err instead of # krb5-config --libs -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl If it is what we want, then I will upload the pkg into testing. Stéphane
