Control: severity 650138 serious Control: retitle 650138 liboauth0: doesn't work with NSS libcurl flavour Control: tag 650138 + patch Control: tag 639565 + patch
On Mon, 17 Sep 2012 19:19:57 +0200, Alessandro Ghedini wrote: > > thanks alot for taking the time to shed some light here! > No problem Thanks again :) > > Makes sense ... But liboauth does link (and therefore depend on) one > > of the curl libs, unless forced to do otherwise. > My comment was about the "do not build-depends on libcurl4*-dev and manually > depend on a libcurl3*" solution exposed above, which wouldn't work. Right. > > What I've done now, since I'm more interested in #650138 actually :) > I think I see the problem: the NSS libcurl flavour needs a proper NSS > certificate database (just like any other application using NSS, e.g. chromium > and firefox generate their own databases), otherwise the SSL/TLS support is > mostly broken (i.e. the certificate checks always fail, see #655628). Ah! > Now I'm not really into OAuth nor Twitter-like things, but I guess that > Twitter > and Identi.ca provide an HTTPS end-point for their OAuth APIs... HTTPS > requires > SSL/TLS certificate checking by default... I guess you see where this is > going. Yup, currently an strace shows something about a missing end-point before the error message. > I think liboauth use of NSS does not involve certificate checking but > libcurl's, > unless otherwise told, does. But they are independent. Ack, that was also my interpretation, and fits with Tsukasa Hamano's message (#34) in this (#639565) bug report log. > From liboauth 0.9.4-3 changelog: > > * Sync from Ubuntu: > [ Mathieu Trudel-Lapierre ] > * debian/control: liboauth-dev really needs libcurl4-nss-dev, not > libcurl4-gnutls-dev (nss is required in the .pc file) > (closes: #646485, #639565) > [ Sjoerd Simons ] > * collab-main team update > * debian/control: Swith build-depend to libcurl4-nss-dev from > libcurl4-gnutls-dev. oauth itself uses nss for SSL > > That probably explains why liboauth and in turn bti stopped working from that > version. So this should be libcurl4-*-dev (and not -nss-) for the HTTPS communication, and libnss3-dev for the OAuth hash things, right? (And the fix for #646485 would have been to just add libnss3-dev, and not to switch the curl flavour.) > So, to recap, IMO liboauth and bti (well, I'm not really sure about bti... but > that doesn't hurt) should build-depend on libcurl4-gnutls-dev, which would fix > #650138, and liboauth-dev should depend on libcurl4-gnutls-dev | libcurl4-dev, > which would fix #639565 (as exposed in the submission email). Perfect! (And since bti works as-is with a rebuilt liboauth0, I guess I leave the change in the build-dep for after-wheezy.) > libcurl3* runtime independence is not possible unless leaving libcurl's > symbols > unresolved (as explained a few emails ago). But I don't quite see why one > would > want the independence in the first place. To quote Tsukasa Hamano: "The > depends > is force developper to link with gnutls", I'm not quite sure what he meant, > but > the developer (using liboauth) is not forced to link againt anything, liboauth > is, but it doesn't affect the developer using it. And when using a static > liboauth > (i.e. what the Requires.private in oauth.pc and the liboauth-dev Depends are > for) one can choose any libcurl. If really needed, one can rebuild liboauth > from > source, in which case "libcurl4-gnutls-dev | libcurl4-dev" in its build-depend > would help. Makes sense, and fits my experiments :) So this should fix both bugs: #v+ diff -Nru liboauth-0.9.4/debian/control liboauth-0.9.4/debian/control --- liboauth-0.9.4/debian/control 2011-11-05 12:41:07.000000000 +0100 +++ liboauth-0.9.4/debian/control 2012-09-17 19:31:21.000000000 +0200 @@ -2,7 +2,7 @@ Priority: optional Maintainer: Bilal Akhtar <bilalakh...@ubuntu.com> Build-Depends: debhelper (>= 8.1.3), - libcurl4-nss-dev, + libcurl4-gnutls-dev | libcurl4-dev, libnss3-dev, libtool, locales-all | language-pack-en, @@ -16,7 +16,7 @@ Package: liboauth-dev Section: libdevel Architecture: any -Depends: liboauth0 (= ${binary:Version}), libcurl4-nss-dev, ${misc:Depends} +Depends: liboauth0 (= ${binary:Version}), libcurl4-gnutls-dev | libcurl4-dev, libnss3-dev, ${misc:Depends} Description: C library for implementing OAuth 1.0 (development files) liboauth is a collection of C functions implementing the OAuth Core 1.0 standard API. liboauth provides basic functions to escape #v- Thanks again, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Dire Straits: Single Handed Sailor
signature.asc
Description: Digital signature