Control: severity 650138 serious Control: retitle 650138 liboauth0: doesn't work with NSS libcurl flavour Control: tag 650138 + patch Control: tag 639565 + patch
On Mon, 17 Sep 2012 19:19:57 +0200, Alessandro Ghedini wrote:
> > thanks alot for taking the time to shed some light here!
> No problem
Thanks again :)
> > Makes sense ... But liboauth does link (and therefore depend on) one
> > of the curl libs, unless forced to do otherwise.
> My comment was about the "do not build-depends on libcurl4*-dev and manually
> depend on a libcurl3*" solution exposed above, which wouldn't work.
Right.
> > What I've done now, since I'm more interested in #650138 actually :)
> I think I see the problem: the NSS libcurl flavour needs a proper NSS
> certificate database (just like any other application using NSS, e.g. chromium
> and firefox generate their own databases), otherwise the SSL/TLS support is
> mostly broken (i.e. the certificate checks always fail, see #655628).
Ah!
> Now I'm not really into OAuth nor Twitter-like things, but I guess that
> Twitter
> and Identi.ca provide an HTTPS end-point for their OAuth APIs... HTTPS
> requires
> SSL/TLS certificate checking by default... I guess you see where this is
> going.
Yup, currently an strace shows something about a missing end-point
before the error message.
> I think liboauth use of NSS does not involve certificate checking but
> libcurl's,
> unless otherwise told, does. But they are independent.
Ack, that was also my interpretation, and fits with Tsukasa Hamano's
message (#34) in this (#639565) bug report log.
> From liboauth 0.9.4-3 changelog:
>
> * Sync from Ubuntu:
> [ Mathieu Trudel-Lapierre ]
> * debian/control: liboauth-dev really needs libcurl4-nss-dev, not
> libcurl4-gnutls-dev (nss is required in the .pc file)
> (closes: #646485, #639565)
> [ Sjoerd Simons ]
> * collab-main team update
> * debian/control: Swith build-depend to libcurl4-nss-dev from
> libcurl4-gnutls-dev. oauth itself uses nss for SSL
>
> That probably explains why liboauth and in turn bti stopped working from that
> version.
So this should be libcurl4-*-dev (and not -nss-) for the HTTPS
communication, and libnss3-dev for the OAuth hash things, right? (And
the fix for #646485 would have been to just add libnss3-dev, and not
to switch the curl flavour.)
> So, to recap, IMO liboauth and bti (well, I'm not really sure about bti... but
> that doesn't hurt) should build-depend on libcurl4-gnutls-dev, which would fix
> #650138, and liboauth-dev should depend on libcurl4-gnutls-dev | libcurl4-dev,
> which would fix #639565 (as exposed in the submission email).
Perfect!
(And since bti works as-is with a rebuilt liboauth0, I guess I leave
the change in the build-dep for after-wheezy.)
> libcurl3* runtime independence is not possible unless leaving libcurl's
> symbols
> unresolved (as explained a few emails ago). But I don't quite see why one
> would
> want the independence in the first place. To quote Tsukasa Hamano: "The
> depends
> is force developper to link with gnutls", I'm not quite sure what he meant,
> but
> the developer (using liboauth) is not forced to link againt anything, liboauth
> is, but it doesn't affect the developer using it. And when using a static
> liboauth
> (i.e. what the Requires.private in oauth.pc and the liboauth-dev Depends are
> for) one can choose any libcurl. If really needed, one can rebuild liboauth
> from
> source, in which case "libcurl4-gnutls-dev | libcurl4-dev" in its build-depend
> would help.
Makes sense, and fits my experiments :)
So this should fix both bugs:
#v+
diff -Nru liboauth-0.9.4/debian/control liboauth-0.9.4/debian/control
--- liboauth-0.9.4/debian/control 2011-11-05 12:41:07.000000000 +0100
+++ liboauth-0.9.4/debian/control 2012-09-17 19:31:21.000000000 +0200
@@ -2,7 +2,7 @@
Priority: optional
Maintainer: Bilal Akhtar <bilalakh...@ubuntu.com>
Build-Depends: debhelper (>= 8.1.3),
- libcurl4-nss-dev,
+ libcurl4-gnutls-dev | libcurl4-dev,
libnss3-dev,
libtool,
locales-all | language-pack-en,
@@ -16,7 +16,7 @@
Package: liboauth-dev
Section: libdevel
Architecture: any
-Depends: liboauth0 (= ${binary:Version}), libcurl4-nss-dev, ${misc:Depends}
+Depends: liboauth0 (= ${binary:Version}), libcurl4-gnutls-dev | libcurl4-dev,
libnss3-dev, ${misc:Depends}
Description: C library for implementing OAuth 1.0 (development files)
liboauth is a collection of C functions implementing the
OAuth Core 1.0 standard API. liboauth provides basic functions to escape
#v-
Thanks again,
gregor
--
.''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
`- NP: Dire Straits: Single Handed Sailor
signature.asc
Description: Digital signature
