[Bug 1313311] Re: Broken libscrypt.so symlink

2017-02-22 Thread Robie Basak 
Please see https://irclogs.ubuntu.com/2017/02/22/%23ubuntu-
release.html#t14:35 for some further discussion on this with another
~ubuntu-sru member.

Following that discussion:

1) The problem appears to be theoretical at this point, since libscrypt
has never been updated in an existing stable release.

2) Fixing this must necessarily change behaviour (linking will link
dynamically instead of statically). Users might shout about this as much
as they'd shout about not having the shared library available.

3) This is (presumably) fixed in newer stable Ubuntu releases, including
16.04 LTS.

So I believe the decision is "no" for now, unless one of those things
changes. If there is an update in libscrypt, we'd need to find the
reverse dependencies and fix them for any update to be useful. Andy
points out that looking up reverse dependencies in newer releases where
this is fixed will at least give us a first approximation of what needs
to be addressed.

I appreciate that this is a marginal decision and welcome further
discussion. I'll set the bug status to "Won't Fix" for now, and reject
from the queue, but this can change if the situation changes or if a
contrary decision is made.

** Changed in: libscrypt (Ubuntu Trusty)
   Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2017-02-22 Thread Robie Basak 
> If there's any update to the library, other packages don't pick it up.

Right, but as you point out, this upload won't fix this.

> In the end it's mostly to help people building their own packages on
Ubuntu against libscrypt to do it correct and in the manner you'd expect
an Ubuntu system to behave.

That's true, but I'd expect users doing anything *new* to be doing it on
16.04 or on 16.10, where I presume this bug is already fixed? Changing
this in 14.04 will change behaviour (as is intended), but this could
equally break users relying on particular previous behaviour.

My opinion would be different for 16.04. For 14.04, I'm on the fence,
and I'd like a second opinion from another ~ubuntu-sru.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2017-02-08 Thread Philipp Kern 
The implication is that packages built against scrypt on trusty link
against it statically. It's a grave Debian policy violation for one,
it's a terrible thing for a security-related library for another. If
there's any update to the library, other packages don't pick it up. It's
also clear that it has been fixed in newer Ubuntu versions since over
two years with no reported regression.

That being said, it's clear that for in-distro packages reverse
dependencies of libscrypt would need to be recompiled to pick up the
dependency. However, they are of course not easy to identify because
they never inherited the shlibs dependency in the first place.

Similarly I can make the argument that it does not affect any package in
the archive because unless they are recompiled they won't see the
updated symlink. In the end it's mostly to help people building their
own packages on Ubuntu against libscrypt to do it correct and in the
manner you'd expect an Ubuntu system to behave.

** Changed in: libscrypt (Ubuntu Trusty)
   Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2017-02-08 Thread Robie Basak 
This would changing anything that builds now to building against the
shared library instead of the static library, right? What are the
implications of this? This should really be discussed in Regression
Potential.

Second, what's the real world impact of this? Why is there a need to SRU
this? What is the impact of this bug to *users* in Trusty?

** Changed in: libscrypt (Ubuntu Trusty)
   Status: In Progress => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2017-02-01 Thread Philipp Kern 
** Changed in: libscrypt (Ubuntu Trusty)
   Status: Confirmed => In Progress

** Description changed:

- libscrypt.so is a broken symlink:
+ [ Impact ]
  
- $ file /usr/lib/libscrypt.so
- /usr/lib/libscrypt.so: broken symbolic link to 
`debian/tmp/usr/lib/libscrypt.so.0'
+ libscrypt-dev ships a broken symlink from /usr/lib/libscrypt.so to
+ debian/tmp/usr/lib/libscrypt.so.0. This causes builds linking with
+ -lscrypt to pick up its static library /usr/lib/libscrypt.a instead.
+ This happens silently.
  
- This was reported and fixed in Debian, but the fixed version is not yet
- in Ubuntu.
+ [ Test Case ]
+ 
+ Check if libscrypt-dev's /usr/lib/libscrypt.so symlink points to
+ libscrypt.so.0 instead of debian/tmp/usr/lib/libscrypt.so.0.
+ 
+ [ Regression Potential ]
+ 
+ None. As we see, even if the symlink is broken, the linker falls back to
+ something else.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2017-02-01 Thread Philipp Kern 
Debdiff to fix this in trusty attached.

** Patch added: "libscrypt_1-2ubuntu2_1-2ubuntu2.14.04.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+attachment/4811710/+files/libscrypt_1-2ubuntu2_1-2ubuntu2.14.04.1.debdiff

** Changed in: libscrypt (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: libscrypt (Ubuntu Trusty)
 Assignee: (unassigned) => Philipp Kern (pkern)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2017-02-01 Thread Philipp Kern 
As it turns out the side-effect of this is that binaries linking against
scrypt are picking it up statically because there's a libscrypt.a that
works.

** Also affects: libscrypt (Ubuntu Trusty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2015-09-01 Thread Cory Bloor 
This is still broken in Ubuntu 14.04 (1-2ubuntu2). Was that an
oversight?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2014-12-24 Thread Logan Rosen 
This bug was fixed in the package libscrypt - 1.20-1

---
libscrypt (1.20-1) experimental; urgency=low

  * ACK NMUs, thanks for the fixes.
  * New upstream release (Closes: #746041).
- Drop patches from NMUs due to inclusion of equivalent changes upstream.
  * Add myself as co-maintainer.
  * Bump Standards-Version.
  * Add a symbols file.
  * Tweak -dev package description.
  * Update Vcs-* fields.
  * Update copyright file.

 -- Tristan Seligmann mithra...@debian.org  Sun, 14 Dec 2014 05:28:49
+0200

libscrypt (1-2.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix FTBFS on big endian architecture.
Patch by Aurelien Jarno.
Add big-endian.patch.
Closes: #728254.

 -- Anibal Monsalve Salazar ani...@debian.org  Mon, 21 Jul 2014
06:32:03 +0100

libscrypt (1-2.1) unstable; urgency=medium

  * Non-maintainer upload
  * Make symlink relative (Closes: #731174)

 -- David Prévot taf...@debian.org  Wed, 25 Dec 2013 20:48:11 -0400

** Changed in: libscrypt (Ubuntu)
   Status: Confirmed = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2014-10-20 Thread Launchpad Bug Tracker 
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: libscrypt (Ubuntu)
   Status: New = Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1313311] Re: Broken libscrypt.so symlink

2014-04-27 Thread Bug Watch Updater 
** Changed in: libscrypt (Debian)
   Status: Unknown = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311

Title:
  Broken libscrypt.so symlink

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs