Re: [Rpm-maint] [PATCH 3/4] Add sepdebugcrcfix to fixup old style gnu_debuglink CRC checksum.

2016-06-14 Thread Mark Wielaard 
Hi Thierry,

On Mon, 2016-06-13 at 14:33 +0200, Thierry Vignaud wrote:
> Could you provide a small example? From the bug report it isn't clear if
> > it really is a bug with that particular fix or that it is caused by bad
> > usage of attributes. If we have a small example we can create a test
> > case for it.
> 
> Here's one example attached.
> With current FC patch applied to rpm (aka uncommenting the patch at
> http://svnweb.mageia.org/packages/cauldron/rpm/current/SPECS/rpm.spec?revision=1018103=markup#l116)
> 
> With "%define debug_package %{nil}", "ll /bin/test2" shows:
> -rwsr-xr-x 1 root root 6128 Eve  13 13:56 /bin/test2*
> With "#define debug_package %{nil}", "ll /bin/test2" shows:
> -rwxr-xr-x 1 root root 7184 Eve  13 13:55 /bin/test2*
> 
> When the rpm patch is not applied, both cases works OK (aka ls -[ol]
> reports the suid bit)
 
Aha, ok. I see what is happening. Since you don't set the attributes
explicitly you rely on the suid bit being picked up. But since we change
the file the suid flag gets reset. The fix is similar to how other helpers
get and reset all mods. I added a testcase for this issue making sure that
it triggers all helpers and still has the suid binaries coming out as
expected. I also rearranged the patchset a little, to make sure the test
actually tests the right binary by bringing forward the "Don't use
hardcoded paths to tools/scripts in find-debuginfo.sh." fix.

 [PATCH 1/7] Add find-debuginfo.sh -m minisymtab support.
 [PATCH 2/7] Add dwz debuginfo compression support.
 [PATCH 3/7] Don't use hardcoded paths to tools/scripts in
 [PATCH 4/7] Add sepdebugcrcfix to fixup old style gnu_debuglink CRC
 [PATCH 5/7] Add build-id links to rpm for all ELF files.
 [PATCH 6/7] Make it possible to have unique build-ids across build
 [PATCH 7/7] Make adding GDB index sections configurable.

Thanks,

Mark
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [PATCH 3/4] Add sepdebugcrcfix to fixup old style gnu_debuglink CRC checksum.

2016-06-07 Thread Mark Wielaard 
On Tue, 2016-06-07 at 10:33 +0200, Thierry Vignaud wrote:
> On 6 June 2016 at 23:00, Mark Wielaard  wrote:
> > Some old tools might still use the .gnu_debuglink section to find
> > separate debuginfo files instead of build-id style lookups. When
> > dwz has compresses the .debug files the original CRC in the main
> > ELF file will no longer match. Make sure to run sepdebugcrcfix
> > after dwz to recalculate the CRC.
> >
> > The original fix was created by Jan Kratochvil based on code
> > from GNU binutils BFD. https://bugzilla.redhat.com/show_bug.cgi?id=971119
> > I added a testcase to make sure the CRCs were all correctly
> > updated after dwz has run to compress a debuginfo package.
> 
> WARNING: Note that the original Fedora patch has issues!
> Panu (the then upstream rpm.org maintainer) said it should _not_ be
> upstreamed when we bring the issue up:
> 
> Once we applied this patch to rpm-4.12 in Mageia, rpm silently dropped
> the suid/sgid bits from files if they were re not explicitely listed with 
> %attr
> This was breaking packages...
> See https://bugs.mageia.org/show_bug.cgi?id=14691

Could you provide a small example? From the bug report it isn't clear if
it really is a bug with that particular fix or that it is caused by bad
usage of attributes. If we have a small example we can create a test
case for it.

> Panu answered:
> 
> == BEGIN
> As for the "are you sure we (still) need this patch" question, the
> answer has always been "almost certainly not".
> 
> The short summary is that the issue it fixes only is present if you
> use dwz to compress the debuginfo (like Fedora does), and even then
> case it only affects a handful of toolchain developers in the entire
> world.
> 
> See https://bugzilla.redhat.com/show_bug.cgi?id=971119 for further
> explanation of the issue, comment #9 answers the who is affected part.
> 
> Personally my opinion is "just kick out the stupid patch already" :)
> but judge for yourselves.
> == END

I am missing some context here. But it reads like if you don't use dwz
support then it doesn't fix any real issue. So, then you can drop that
patch also. Which is true.

But you do seem to use compressed debuginfo packages. In which case it
does fix a real issue. The issue is that if you create .debug files
with .gnu_debuglink support then you need to make sure that the CRC is
calculated correctly.  I included a testcase to show what that issue is
(the testcase will fail without the patch applied).

Also note that one of the goals of improving and cleaning up debuginfo
packages is so more people can easily use them, in which case it will
impact more than just a few hackers that manage to get them properly
installed.

You can certainly argue that all tools should use build-id based
identification and lookup and so we should just completely drop .debug
files and .gnu_debuglink entirely. But that seems a rather big change. I
don't know of any distro who did this or anybody who audited all the
tools and processes to make sure .debug files and .gnu_debuglink
(including correct CRCs) are unnecessary in all situations.

Cheers,

Mark
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [PATCH 3/4] Add sepdebugcrcfix to fixup old style gnu_debuglink CRC checksum.

2016-06-07 Thread Thierry Vignaud 
On 6 June 2016 at 23:00, Mark Wielaard  wrote:
> Some old tools might still use the .gnu_debuglink section to find
> separate debuginfo files instead of build-id style lookups. When
> dwz has compresses the .debug files the original CRC in the main
> ELF file will no longer match. Make sure to run sepdebugcrcfix
> after dwz to recalculate the CRC.
>
> The original fix was created by Jan Kratochvil based on code
> from GNU binutils BFD. https://bugzilla.redhat.com/show_bug.cgi?id=971119
> I added a testcase to make sure the CRCs were all correctly
> updated after dwz has run to compress a debuginfo package.

WARNING: Note that the original Fedora patch has issues!
Panu (the then upstream rpm.org maintainer) said it should _not_ be
upstreamed when we bring the issue up:

Once we applied this patch to rpm-4.12 in Mageia, rpm silently dropped
the suid/sgid bits from files if they were re not explicitely listed with %attr
This was breaking packages...
See https://bugs.mageia.org/show_bug.cgi?id=14691

We tracked it down to:
rpm-4.11.1-sepdebugcrcfix.patch
("fix .gnu_debuglink CRC32 after dwz (rhbz#971119)")

See https://bugs.mageia.org/show_bug.cgi?id=14691#c4


Panu answered:

== BEGIN
As for the "are you sure we (still) need this patch" question, the
answer has always been "almost certainly not".

The short summary is that the issue it fixes only is present if you
use dwz to compress the debuginfo (like Fedora does), and even then
case it only affects a handful of toolchain developers in the entire
world.

See https://bugzilla.redhat.com/show_bug.cgi?id=971119 for further
explanation of the issue, comment #9 answers the who is affected part.

Personally my opinion is "just kick out the stupid patch already" :)
but judge for yourselves.
== END

Florian, you should still have the details in your mailbox ("rpm
silently loosing suid/sgid bits" private discussion in 2014
December/2015 February between me, Panu & you)

This shows I should have used the list instead of using private mails :-(

So I would say to _not_ merge this patch.
It should remain in Fedora's rpm, not be upstreamed.
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint