Message ID | 20200501105454.17614-1-matthias.fischer@ipfire.org |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49D8KL1XtQz3xSS for <patchwork@web04.haj.ipfire.org>; Fri, 1 May 2020 10:55:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49D8KJ5xb1zhk; Fri, 1 May 2020 10:55:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49D8KJ33qPz2xrB; Fri, 1 May 2020 10:55:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49D8KH47mRz2xrB for <development@lists.ipfire.org>; Fri, 1 May 2020 10:54:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49D8KH17FWzhk for <development@lists.ipfire.org>; Fri, 1 May 2020 10:54:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1588330499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=5jCSdIc0PTUn1KOoiB64x33lKTWRdQ32Q40fq6N+fhc=; b=wxcctgQ1P6CU6yA1uZBHzIa1FkRnJRdoL0gBp7fj/KI0vtcbEbDo0sh/TgfgWeCTGDeJ3f 8/uwQB1/jliZwrBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1588330499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=5jCSdIc0PTUn1KOoiB64x33lKTWRdQ32Q40fq6N+fhc=; b=icsJMCUWuBArNpFSWmhxElXCOl+s3JEZeJBlD9RkljfH8dMNae3r7e38BPzBbXGUS2ti4x GOIPhYH+K2yk5C7FzDB2EAD019P/EGFsjMy3i4szGx+nh/cdVgsDErnjWnb1Ihb0zMhXo3 VSBwXzWYKx6nHKyzfVxIXumiX20yR7nYtYMc6X86BBHCHC9PSpaoXfjoipbD8Kp17Nc6q7 rHdIPuee5igi8hB273LiCfJNAbsiIhQLSTm3VoavPB00TI8qCQ4HooPG0ZkQdpTuV+qHRE MpZuiGYhFx0slqQ4oBETfE/IDZ1RPX8wy3S28zs3yF7atUzultAwLjOg/BKsIQ== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] nettle: Update to 3.6 Date: Fri, 1 May 2020 12:54:54 +0200 Message-Id: <20200501105454.17614-1-matthias.fischer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=matthias.fischer@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
nettle: Update to 3.6
|
|
Commit Message
Matthias Fischer
May 1, 2020, 10:54 a.m. UTC
For details see:
https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
This update also requires updating gnutls to '3.6.13'.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/rootfiles/common/nettle | 11 +++++++----
lfs/nettle | 6 +++---
2 files changed, 10 insertions(+), 7 deletions(-)
Comments
Hi, Do we know if anything else but gnutls links against this? The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. -Michael > On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > For details see: > https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog > > This update also requires updating gnutls to '3.6.13'. > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > config/rootfiles/common/nettle | 11 +++++++---- > lfs/nettle | 6 +++--- > 2 files changed, 10 insertions(+), 7 deletions(-) > > diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle > index 58e3f57a0..20a269a8b 100644 > --- a/config/rootfiles/common/nettle > +++ b/config/rootfiles/common/nettle > @@ -23,6 +23,7 @@ > #usr/include/nettle/cmac.h > #usr/include/nettle/ctr.h > #usr/include/nettle/curve25519.h > +#usr/include/nettle/curve448.h > #usr/include/nettle/des.h > #usr/include/nettle/dsa-compat.h > #usr/include/nettle/dsa.h > @@ -32,6 +33,7 @@ > #usr/include/nettle/ecdsa.h > #usr/include/nettle/eddsa.h > #usr/include/nettle/gcm.h > +#usr/include/nettle/gostdsa.h > #usr/include/nettle/gosthash94.h > #usr/include/nettle/hkdf.h > #usr/include/nettle/hmac.h > @@ -61,16 +63,17 @@ > #usr/include/nettle/sha1.h > #usr/include/nettle/sha2.h > #usr/include/nettle/sha3.h > +#usr/include/nettle/siv-cmac.h > #usr/include/nettle/twofish.h > #usr/include/nettle/umac.h > #usr/include/nettle/version.h > #usr/include/nettle/xts.h > #usr/include/nettle/yarrow.h > usr/lib/libhogweed.so > -usr/lib/libhogweed.so.5 > -usr/lib/libhogweed.so.5.0 > +usr/lib/libhogweed.so.6 > +usr/lib/libhogweed.so.6.0 > #usr/lib/libnettle.so > -usr/lib/libnettle.so.7 > -usr/lib/libnettle.so.7.0 > +usr/lib/libnettle.so.8 > +usr/lib/libnettle.so.8.0 > #usr/lib/pkgconfig/hogweed.pc > #usr/lib/pkgconfig/nettle.pc > diff --git a/lfs/nettle b/lfs/nettle > index cc34b1fad..de7428121 100644 > --- a/lfs/nettle > +++ b/lfs/nettle > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 3.5.1 > +VER = 3.6 > > THISAPP = nettle-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 > +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a > > install : $(TARGET) > > -- > 2.17.1 >
Hi, On 01.05.2020 15:17, Michael Tremer wrote: > Hi, > > Do we know if anything else but gnutls links against this? Me: no => Please don't merge this patch. > The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. You're right. IIRC, I read about a similiar problem a while ago. And it sucks... What I'm not sure about: Would testing all binaries one by one with 'ldd' be sufficient enough? ToDo: I thought about it. I'll try to write a script that loops through (all) binaries and throws a message if an appropriate - missing - library (in this case: libhogweed or libnettle) was found. I'm thinking about something with a "for-while-do-loop", using 'ldd [PROGRAM_NAME]', filtering the output. And just in case: has anyone here ever programmed anything like this already? I don't want to "reinvent the wheel" unnecessarily... ;-) Opinions? Best, Matthias > -Michael > >> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >> >> For details see: >> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >> >> This update also requires updating gnutls to '3.6.13'. >> >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> config/rootfiles/common/nettle | 11 +++++++---- >> lfs/nettle | 6 +++--- >> 2 files changed, 10 insertions(+), 7 deletions(-) >> >> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >> index 58e3f57a0..20a269a8b 100644 >> --- a/config/rootfiles/common/nettle >> +++ b/config/rootfiles/common/nettle >> @@ -23,6 +23,7 @@ >> #usr/include/nettle/cmac.h >> #usr/include/nettle/ctr.h >> #usr/include/nettle/curve25519.h >> +#usr/include/nettle/curve448.h >> #usr/include/nettle/des.h >> #usr/include/nettle/dsa-compat.h >> #usr/include/nettle/dsa.h >> @@ -32,6 +33,7 @@ >> #usr/include/nettle/ecdsa.h >> #usr/include/nettle/eddsa.h >> #usr/include/nettle/gcm.h >> +#usr/include/nettle/gostdsa.h >> #usr/include/nettle/gosthash94.h >> #usr/include/nettle/hkdf.h >> #usr/include/nettle/hmac.h >> @@ -61,16 +63,17 @@ >> #usr/include/nettle/sha1.h >> #usr/include/nettle/sha2.h >> #usr/include/nettle/sha3.h >> +#usr/include/nettle/siv-cmac.h >> #usr/include/nettle/twofish.h >> #usr/include/nettle/umac.h >> #usr/include/nettle/version.h >> #usr/include/nettle/xts.h >> #usr/include/nettle/yarrow.h >> usr/lib/libhogweed.so >> -usr/lib/libhogweed.so.5 >> -usr/lib/libhogweed.so.5.0 >> +usr/lib/libhogweed.so.6 >> +usr/lib/libhogweed.so.6.0 >> #usr/lib/libnettle.so >> -usr/lib/libnettle.so.7 >> -usr/lib/libnettle.so.7.0 >> +usr/lib/libnettle.so.8 >> +usr/lib/libnettle.so.8.0 >> #usr/lib/pkgconfig/hogweed.pc >> #usr/lib/pkgconfig/nettle.pc >> diff --git a/lfs/nettle b/lfs/nettle >> index cc34b1fad..de7428121 100644 >> --- a/lfs/nettle >> +++ b/lfs/nettle >> @@ -1,7 +1,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER = 3.5.1 >> +VER = 3.6 >> >> THISAPP = nettle-$(VER) >> DL_FILE = $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >> >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >> >> install : $(TARGET) >> >> -- >> 2.17.1 >> >
Hi, Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it. I would recommend the following: 1) Have a function that takes a binary name and returns whether it matches or not. 2) Have a second function that finds all binary files and calls the function from 1). You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it. I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to. You can run this instead: root@michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] These are all libraries that /bin/bash needs directly on my system, and that is what we want to know. readelf is in the binutils package. We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it. For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well. Please feel free to ask questions :) > On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Hi, > > On 01.05.2020 15:17, Michael Tremer wrote: >> Hi, >> >> Do we know if anything else but gnutls links against this? > > Me: no => Please don't merge this patch. > >> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. > > You're right. IIRC, I read about a similiar problem a while ago. And it > sucks... > > What I'm not sure about: > Would testing all binaries one by one with 'ldd' be sufficient enough? > > ToDo: > I thought about it. I'll try to write a script that loops through (all) > binaries and throws a message if an appropriate - missing - library (in > this case: libhogweed or libnettle) was found. > > I'm thinking about something with a "for-while-do-loop", using 'ldd > [PROGRAM_NAME]', filtering the output. > > And just in case: has anyone here ever programmed anything like this > already? I wrote such a script when we migrated OpenSSL, but I do not have it any more :) I should have kept it. -Michael > > I don't want to "reinvent the wheel" unnecessarily... ;-) > > Opinions? > > Best, > Matthias > -Michael >> -Michael >> >>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>> >>> For details see: >>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >>> >>> This update also requires updating gnutls to '3.6.13'. >>> >>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>> --- >>> config/rootfiles/common/nettle | 11 +++++++---- >>> lfs/nettle | 6 +++--- >>> 2 files changed, 10 insertions(+), 7 deletions(-) >>> >>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >>> index 58e3f57a0..20a269a8b 100644 >>> --- a/config/rootfiles/common/nettle >>> +++ b/config/rootfiles/common/nettle >>> @@ -23,6 +23,7 @@ >>> #usr/include/nettle/cmac.h >>> #usr/include/nettle/ctr.h >>> #usr/include/nettle/curve25519.h >>> +#usr/include/nettle/curve448.h >>> #usr/include/nettle/des.h >>> #usr/include/nettle/dsa-compat.h >>> #usr/include/nettle/dsa.h >>> @@ -32,6 +33,7 @@ >>> #usr/include/nettle/ecdsa.h >>> #usr/include/nettle/eddsa.h >>> #usr/include/nettle/gcm.h >>> +#usr/include/nettle/gostdsa.h >>> #usr/include/nettle/gosthash94.h >>> #usr/include/nettle/hkdf.h >>> #usr/include/nettle/hmac.h >>> @@ -61,16 +63,17 @@ >>> #usr/include/nettle/sha1.h >>> #usr/include/nettle/sha2.h >>> #usr/include/nettle/sha3.h >>> +#usr/include/nettle/siv-cmac.h >>> #usr/include/nettle/twofish.h >>> #usr/include/nettle/umac.h >>> #usr/include/nettle/version.h >>> #usr/include/nettle/xts.h >>> #usr/include/nettle/yarrow.h >>> usr/lib/libhogweed.so >>> -usr/lib/libhogweed.so.5 >>> -usr/lib/libhogweed.so.5.0 >>> +usr/lib/libhogweed.so.6 >>> +usr/lib/libhogweed.so.6.0 >>> #usr/lib/libnettle.so >>> -usr/lib/libnettle.so.7 >>> -usr/lib/libnettle.so.7.0 >>> +usr/lib/libnettle.so.8 >>> +usr/lib/libnettle.so.8.0 >>> #usr/lib/pkgconfig/hogweed.pc >>> #usr/lib/pkgconfig/nettle.pc >>> diff --git a/lfs/nettle b/lfs/nettle >>> index cc34b1fad..de7428121 100644 >>> --- a/lfs/nettle >>> +++ b/lfs/nettle >>> @@ -1,7 +1,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -24,7 +24,7 @@ >>> >>> include Config >>> >>> -VER = 3.5.1 >>> +VER = 3.6 >>> >>> THISAPP = nettle-$(VER) >>> DL_FILE = $(THISAPP).tar.gz >>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>> >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> >>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >>> >>> install : $(TARGET) >>> >>> -- >>> 2.17.1 >>> >> >
Hi, I found my script! I have committed it to the repository and sent a patch. Please have a look. I have also added a simple shortcut for make.sh. So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library. You can also pass multiple libraries at once. Best, -Michael > On 4 May 2020, at 15:32, Michael Tremer <michael.tremer@ipfire.org> wrote: > > Hi, > > Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it. > > I would recommend the following: > > 1) Have a function that takes a binary name and returns whether it matches or not. > > 2) Have a second function that finds all binary files and calls the function from 1). > > You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it. > > I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to. > > You can run this instead: > > root@michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED > 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] > 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] > 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] > > These are all libraries that /bin/bash needs directly on my system, and that is what we want to know. > > readelf is in the binutils package. > > We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it. > > For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well. > > Please feel free to ask questions :) > >> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >> >> Hi, >> >> On 01.05.2020 15:17, Michael Tremer wrote: >>> Hi, >>> >>> Do we know if anything else but gnutls links against this? >> >> Me: no => Please don't merge this patch. >> >>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. >> >> You're right. IIRC, I read about a similiar problem a while ago. And it >> sucks... >> >> What I'm not sure about: >> Would testing all binaries one by one with 'ldd' be sufficient enough? >> >> ToDo: >> I thought about it. I'll try to write a script that loops through (all) >> binaries and throws a message if an appropriate - missing - library (in >> this case: libhogweed or libnettle) was found. >> >> I'm thinking about something with a "for-while-do-loop", using 'ldd >> [PROGRAM_NAME]', filtering the output. >> >> And just in case: has anyone here ever programmed anything like this >> already? > > I wrote such a script when we migrated OpenSSL, but I do not have it any more :) > > I should have kept it. > > -Michael > >> >> I don't want to "reinvent the wheel" unnecessarily... ;-) >> >> Opinions? >> >> Best, >> Matthias >> > > -Michael > >>> -Michael >>> >>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>> >>>> For details see: >>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >>>> >>>> This update also requires updating gnutls to '3.6.13'. >>>> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>> --- >>>> config/rootfiles/common/nettle | 11 +++++++---- >>>> lfs/nettle | 6 +++--- >>>> 2 files changed, 10 insertions(+), 7 deletions(-) >>>> >>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >>>> index 58e3f57a0..20a269a8b 100644 >>>> --- a/config/rootfiles/common/nettle >>>> +++ b/config/rootfiles/common/nettle >>>> @@ -23,6 +23,7 @@ >>>> #usr/include/nettle/cmac.h >>>> #usr/include/nettle/ctr.h >>>> #usr/include/nettle/curve25519.h >>>> +#usr/include/nettle/curve448.h >>>> #usr/include/nettle/des.h >>>> #usr/include/nettle/dsa-compat.h >>>> #usr/include/nettle/dsa.h >>>> @@ -32,6 +33,7 @@ >>>> #usr/include/nettle/ecdsa.h >>>> #usr/include/nettle/eddsa.h >>>> #usr/include/nettle/gcm.h >>>> +#usr/include/nettle/gostdsa.h >>>> #usr/include/nettle/gosthash94.h >>>> #usr/include/nettle/hkdf.h >>>> #usr/include/nettle/hmac.h >>>> @@ -61,16 +63,17 @@ >>>> #usr/include/nettle/sha1.h >>>> #usr/include/nettle/sha2.h >>>> #usr/include/nettle/sha3.h >>>> +#usr/include/nettle/siv-cmac.h >>>> #usr/include/nettle/twofish.h >>>> #usr/include/nettle/umac.h >>>> #usr/include/nettle/version.h >>>> #usr/include/nettle/xts.h >>>> #usr/include/nettle/yarrow.h >>>> usr/lib/libhogweed.so >>>> -usr/lib/libhogweed.so.5 >>>> -usr/lib/libhogweed.so.5.0 >>>> +usr/lib/libhogweed.so.6 >>>> +usr/lib/libhogweed.so.6.0 >>>> #usr/lib/libnettle.so >>>> -usr/lib/libnettle.so.7 >>>> -usr/lib/libnettle.so.7.0 >>>> +usr/lib/libnettle.so.8 >>>> +usr/lib/libnettle.so.8.0 >>>> #usr/lib/pkgconfig/hogweed.pc >>>> #usr/lib/pkgconfig/nettle.pc >>>> diff --git a/lfs/nettle b/lfs/nettle >>>> index cc34b1fad..de7428121 100644 >>>> --- a/lfs/nettle >>>> +++ b/lfs/nettle >>>> @@ -1,7 +1,7 @@ >>>> ############################################################################### >>>> # # >>>> # IPFire.org - A linux based firewall # >>>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>>> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>>> # # >>>> # This program is free software: you can redistribute it and/or modify # >>>> # it under the terms of the GNU General Public License as published by # >>>> @@ -24,7 +24,7 @@ >>>> >>>> include Config >>>> >>>> -VER = 3.5.1 >>>> +VER = 3.6 >>>> >>>> THISAPP = nettle-$(VER) >>>> DL_FILE = $(THISAPP).tar.gz >>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>> >>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>> >>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >>>> >>>> install : $(TARGET) >>>> >>>> -- >>>> 2.17.1
Hi, On 13.05.2020 12:55, Michael Tremer wrote: > Hi, > > I found my script! YES! ;-) > I have committed it to the repository and sent a patch. Please have a look. Looked. Seems to work. And it would have taken me much longer to write such a script. Great you've found it. > I have also added a simple shortcut for make.sh. > > So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library. > > You can also pass multiple libraries at once. I took a ride on a Core144 build with: ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7 I wanted to know which libraries would be affected by the nettle 3.6 update. Result (I cut '/git/ipfire.../build/'): /usr/bin/virt-admin /usr/bin/ivshmem-server /usr/bin/bsdtar /usr/bin/nettle-lfib-stream /usr/bin/qemu-i386 /usr/bin/qemu-edid /usr/bin/squidclient /usr/bin/qemu-system-arm /usr/bin/qemu-arm /usr/bin/virt-host-validate /usr/bin/danetool /usr/bin/certtool /usr/bin/bsdcat /usr/bin/qemu-pr-helper /usr/bin/bsdcpio /usr/bin/qemu-system-x86_64 /usr/bin/qemu-img /usr/bin/ping /usr/bin/ivshmem-client /usr/bin/nettle-pbkdf2 /usr/bin/pkcs1-conv /usr/bin/sexp-conv /usr/bin/qemu-io /usr/bin/dnsdist /usr/bin/qemu-x86_64 /usr/bin/kdig /usr/bin/qemu-nbd /usr/bin/elf2dmp /usr/bin/qemu-system-i386 /usr/bin/nettle-hash /usr/bin/virsh /usr/libexec/qemu-bridge-helper /usr/libexec/libvirt_iohelper /usr/sbin/libvirtd /usr/sbin/virtlockd /usr/sbin/virtlogd /usr/sbin/cups-genppd.5.2 /usr/sbin/squid /usr/lib/libvirt.so.0.5006.0 /usr/lib/libvirt-admin.so.0.5006.0 /usr/lib/libhogweed.so.5.0 /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so /usr/lib/libvirt/lock-driver/lockd.so /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so /usr/lib/libvirt-qemu.so.0.5006.0 /usr/lib/cups/filter/commandtocanon /usr/lib/cups/filter/rastertogutenprint.5.2 /usr/lib/cups/filter/commandtoepson /usr/lib/cups/driver/gutenprint.5.2 /usr/lib/squid/negotiate_wrapper_auth /usr/lib/squid/digest_ldap_auth /usr/lib/squid/ntlm_fake_auth /usr/lib/squid/basic_radius_auth /usr/lib/squid/digest_file_auth /usr/lib/squid/basic_ncsa_auth /usr/lib/squid/cachemgr.cgi /usr/lib/squid/digest_edirectory_auth /usr/lib/libgnutls.so.30.23.2 /usr/lib/libvirt-lxc.so.0.5006.0 /usr/lib/libarchive.so.13.4.0 /srv/web/ipfire/cgi-bin/cachemgr.cgi Looks like we would need a compat version? Best, Matthias > Best, > -Michael > >> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer@ipfire.org> wrote: >> >> Hi, >> >> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it. >> >> I would recommend the following: >> >> 1) Have a function that takes a binary name and returns whether it matches or not. >> >> 2) Have a second function that finds all binary files and calls the function from 1). >> >> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it. >> >> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to. >> >> You can run this instead: >> >> root@michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED >> 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] >> 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] >> 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] >> >> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know. >> >> readelf is in the binutils package. >> >> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it. >> >> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well. >> >> Please feel free to ask questions :) >> >>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>> >>> Hi, >>> >>> On 01.05.2020 15:17, Michael Tremer wrote: >>>> Hi, >>>> >>>> Do we know if anything else but gnutls links against this? >>> >>> Me: no => Please don't merge this patch. >>> >>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. >>> >>> You're right. IIRC, I read about a similiar problem a while ago. And it >>> sucks... >>> >>> What I'm not sure about: >>> Would testing all binaries one by one with 'ldd' be sufficient enough? >>> >>> ToDo: >>> I thought about it. I'll try to write a script that loops through (all) >>> binaries and throws a message if an appropriate - missing - library (in >>> this case: libhogweed or libnettle) was found. >>> >>> I'm thinking about something with a "for-while-do-loop", using 'ldd >>> [PROGRAM_NAME]', filtering the output. >>> >>> And just in case: has anyone here ever programmed anything like this >>> already? >> >> I wrote such a script when we migrated OpenSSL, but I do not have it any more :) >> >> I should have kept it. >> >> -Michael >> >>> >>> I don't want to "reinvent the wheel" unnecessarily... ;-) >>> >>> Opinions? >>> >>> Best, >>> Matthias >>> >> >> -Michael >> >>>> -Michael >>>> >>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>>> >>>>> For details see: >>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >>>>> >>>>> This update also requires updating gnutls to '3.6.13'. >>>>> >>>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>>> --- >>>>> config/rootfiles/common/nettle | 11 +++++++---- >>>>> lfs/nettle | 6 +++--- >>>>> 2 files changed, 10 insertions(+), 7 deletions(-) >>>>> >>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >>>>> index 58e3f57a0..20a269a8b 100644 >>>>> --- a/config/rootfiles/common/nettle >>>>> +++ b/config/rootfiles/common/nettle >>>>> @@ -23,6 +23,7 @@ >>>>> #usr/include/nettle/cmac.h >>>>> #usr/include/nettle/ctr.h >>>>> #usr/include/nettle/curve25519.h >>>>> +#usr/include/nettle/curve448.h >>>>> #usr/include/nettle/des.h >>>>> #usr/include/nettle/dsa-compat.h >>>>> #usr/include/nettle/dsa.h >>>>> @@ -32,6 +33,7 @@ >>>>> #usr/include/nettle/ecdsa.h >>>>> #usr/include/nettle/eddsa.h >>>>> #usr/include/nettle/gcm.h >>>>> +#usr/include/nettle/gostdsa.h >>>>> #usr/include/nettle/gosthash94.h >>>>> #usr/include/nettle/hkdf.h >>>>> #usr/include/nettle/hmac.h >>>>> @@ -61,16 +63,17 @@ >>>>> #usr/include/nettle/sha1.h >>>>> #usr/include/nettle/sha2.h >>>>> #usr/include/nettle/sha3.h >>>>> +#usr/include/nettle/siv-cmac.h >>>>> #usr/include/nettle/twofish.h >>>>> #usr/include/nettle/umac.h >>>>> #usr/include/nettle/version.h >>>>> #usr/include/nettle/xts.h >>>>> #usr/include/nettle/yarrow.h >>>>> usr/lib/libhogweed.so >>>>> -usr/lib/libhogweed.so.5 >>>>> -usr/lib/libhogweed.so.5.0 >>>>> +usr/lib/libhogweed.so.6 >>>>> +usr/lib/libhogweed.so.6.0 >>>>> #usr/lib/libnettle.so >>>>> -usr/lib/libnettle.so.7 >>>>> -usr/lib/libnettle.so.7.0 >>>>> +usr/lib/libnettle.so.8 >>>>> +usr/lib/libnettle.so.8.0 >>>>> #usr/lib/pkgconfig/hogweed.pc >>>>> #usr/lib/pkgconfig/nettle.pc >>>>> diff --git a/lfs/nettle b/lfs/nettle >>>>> index cc34b1fad..de7428121 100644 >>>>> --- a/lfs/nettle >>>>> +++ b/lfs/nettle >>>>> @@ -1,7 +1,7 @@ >>>>> ############################################################################### >>>>> # # >>>>> # IPFire.org - A linux based firewall # >>>>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>>>> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>>>> # # >>>>> # This program is free software: you can redistribute it and/or modify # >>>>> # it under the terms of the GNU General Public License as published by # >>>>> @@ -24,7 +24,7 @@ >>>>> >>>>> include Config >>>>> >>>>> -VER = 3.5.1 >>>>> +VER = 3.6 >>>>> >>>>> THISAPP = nettle-$(VER) >>>>> DL_FILE = $(THISAPP).tar.gz >>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>>> >>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>> >>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >>>>> >>>>> install : $(TARGET) >>>>> >>>>> -- >>>>> 2.17.1 >
Hi, Oh. This is indeed a very long list of files. Since we are already shipping quite a bit of them, I would urge Arne to merge this into c145. Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid). I have no idea why cachemgr.cgi matches though. Best, -Michael > On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Hi, > > On 13.05.2020 12:55, Michael Tremer wrote: >> Hi, >> >> I found my script! > > YES! ;-) > >> I have committed it to the repository and sent a patch. Please have a look. > > Looked. Seems to work. > > And it would have taken me much longer to write such a script. Great > you've found it. > >> I have also added a simple shortcut for make.sh. >> >> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library. >> >> You can also pass multiple libraries at once. > > I took a ride on a Core144 build with: > > ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7 > > I wanted to know which libraries would be affected by the nettle 3.6 update. > > Result (I cut '/git/ipfire.../build/'): > > /usr/bin/virt-admin > /usr/bin/ivshmem-server > /usr/bin/bsdtar > /usr/bin/nettle-lfib-stream > /usr/bin/qemu-i386 > /usr/bin/qemu-edid > /usr/bin/squidclient > /usr/bin/qemu-system-arm > /usr/bin/qemu-arm > /usr/bin/virt-host-validate > /usr/bin/danetool > /usr/bin/certtool > /usr/bin/bsdcat > /usr/bin/qemu-pr-helper > /usr/bin/bsdcpio > /usr/bin/qemu-system-x86_64 > /usr/bin/qemu-img > /usr/bin/ping > /usr/bin/ivshmem-client > /usr/bin/nettle-pbkdf2 > /usr/bin/pkcs1-conv > /usr/bin/sexp-conv > /usr/bin/qemu-io > /usr/bin/dnsdist > /usr/bin/qemu-x86_64 > /usr/bin/kdig > /usr/bin/qemu-nbd > /usr/bin/elf2dmp > /usr/bin/qemu-system-i386 > /usr/bin/nettle-hash > /usr/bin/virsh > /usr/libexec/qemu-bridge-helper > /usr/libexec/libvirt_iohelper > /usr/sbin/libvirtd > /usr/sbin/virtlockd > /usr/sbin/virtlogd > /usr/sbin/cups-genppd.5.2 > /usr/sbin/squid > /usr/lib/libvirt.so.0.5006.0 > /usr/lib/libvirt-admin.so.0.5006.0 > /usr/lib/libhogweed.so.5.0 > /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so > /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so > /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so > /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so > /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so > /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so > /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so > /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so > /usr/lib/libvirt/lock-driver/lockd.so > /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so > /usr/lib/libvirt-qemu.so.0.5006.0 > /usr/lib/cups/filter/commandtocanon > /usr/lib/cups/filter/rastertogutenprint.5.2 > /usr/lib/cups/filter/commandtoepson > /usr/lib/cups/driver/gutenprint.5.2 > /usr/lib/squid/negotiate_wrapper_auth > /usr/lib/squid/digest_ldap_auth > /usr/lib/squid/ntlm_fake_auth > /usr/lib/squid/basic_radius_auth > /usr/lib/squid/digest_file_auth > /usr/lib/squid/basic_ncsa_auth > /usr/lib/squid/cachemgr.cgi > /usr/lib/squid/digest_edirectory_auth > /usr/lib/libgnutls.so.30.23.2 > /usr/lib/libvirt-lxc.so.0.5006.0 > /usr/lib/libarchive.so.13.4.0 > /srv/web/ipfire/cgi-bin/cachemgr.cgi > > Looks like we would need a compat version? > > Best, > Matthias > >> Best, >> -Michael >> >>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer@ipfire.org> wrote: >>> >>> Hi, >>> >>> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it. >>> >>> I would recommend the following: >>> >>> 1) Have a function that takes a binary name and returns whether it matches or not. >>> >>> 2) Have a second function that finds all binary files and calls the function from 1). >>> >>> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it. >>> >>> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to. >>> >>> You can run this instead: >>> >>> root@michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED >>> 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] >>> 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] >>> 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] >>> >>> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know. >>> >>> readelf is in the binutils package. >>> >>> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it. >>> >>> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well. >>> >>> Please feel free to ask questions :) >>> >>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>> >>>> Hi, >>>> >>>> On 01.05.2020 15:17, Michael Tremer wrote: >>>>> Hi, >>>>> >>>>> Do we know if anything else but gnutls links against this? >>>> >>>> Me: no => Please don't merge this patch. >>>> >>>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. >>>> >>>> You're right. IIRC, I read about a similiar problem a while ago. And it >>>> sucks... >>>> >>>> What I'm not sure about: >>>> Would testing all binaries one by one with 'ldd' be sufficient enough? >>>> >>>> ToDo: >>>> I thought about it. I'll try to write a script that loops through (all) >>>> binaries and throws a message if an appropriate - missing - library (in >>>> this case: libhogweed or libnettle) was found. >>>> >>>> I'm thinking about something with a "for-while-do-loop", using 'ldd >>>> [PROGRAM_NAME]', filtering the output. >>>> >>>> And just in case: has anyone here ever programmed anything like this >>>> already? >>> >>> I wrote such a script when we migrated OpenSSL, but I do not have it any more :) >>> >>> I should have kept it. >>> >>> -Michael >>> >>>> >>>> I don't want to "reinvent the wheel" unnecessarily... ;-) >>>> >>>> Opinions? >>>> >>>> Best, >>>> Matthias >>>> >>> >>> -Michael >>> >>>>> -Michael >>>>> >>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>>>> >>>>>> For details see: >>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >>>>>> >>>>>> This update also requires updating gnutls to '3.6.13'. >>>>>> >>>>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>>>> --- >>>>>> config/rootfiles/common/nettle | 11 +++++++---- >>>>>> lfs/nettle | 6 +++--- >>>>>> 2 files changed, 10 insertions(+), 7 deletions(-) >>>>>> >>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >>>>>> index 58e3f57a0..20a269a8b 100644 >>>>>> --- a/config/rootfiles/common/nettle >>>>>> +++ b/config/rootfiles/common/nettle >>>>>> @@ -23,6 +23,7 @@ >>>>>> #usr/include/nettle/cmac.h >>>>>> #usr/include/nettle/ctr.h >>>>>> #usr/include/nettle/curve25519.h >>>>>> +#usr/include/nettle/curve448.h >>>>>> #usr/include/nettle/des.h >>>>>> #usr/include/nettle/dsa-compat.h >>>>>> #usr/include/nettle/dsa.h >>>>>> @@ -32,6 +33,7 @@ >>>>>> #usr/include/nettle/ecdsa.h >>>>>> #usr/include/nettle/eddsa.h >>>>>> #usr/include/nettle/gcm.h >>>>>> +#usr/include/nettle/gostdsa.h >>>>>> #usr/include/nettle/gosthash94.h >>>>>> #usr/include/nettle/hkdf.h >>>>>> #usr/include/nettle/hmac.h >>>>>> @@ -61,16 +63,17 @@ >>>>>> #usr/include/nettle/sha1.h >>>>>> #usr/include/nettle/sha2.h >>>>>> #usr/include/nettle/sha3.h >>>>>> +#usr/include/nettle/siv-cmac.h >>>>>> #usr/include/nettle/twofish.h >>>>>> #usr/include/nettle/umac.h >>>>>> #usr/include/nettle/version.h >>>>>> #usr/include/nettle/xts.h >>>>>> #usr/include/nettle/yarrow.h >>>>>> usr/lib/libhogweed.so >>>>>> -usr/lib/libhogweed.so.5 >>>>>> -usr/lib/libhogweed.so.5.0 >>>>>> +usr/lib/libhogweed.so.6 >>>>>> +usr/lib/libhogweed.so.6.0 >>>>>> #usr/lib/libnettle.so >>>>>> -usr/lib/libnettle.so.7 >>>>>> -usr/lib/libnettle.so.7.0 >>>>>> +usr/lib/libnettle.so.8 >>>>>> +usr/lib/libnettle.so.8.0 >>>>>> #usr/lib/pkgconfig/hogweed.pc >>>>>> #usr/lib/pkgconfig/nettle.pc >>>>>> diff --git a/lfs/nettle b/lfs/nettle >>>>>> index cc34b1fad..de7428121 100644 >>>>>> --- a/lfs/nettle >>>>>> +++ b/lfs/nettle >>>>>> @@ -1,7 +1,7 @@ >>>>>> ############################################################################### >>>>>> # # >>>>>> # IPFire.org - A linux based firewall # >>>>>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>>>>> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>>>>> # # >>>>>> # This program is free software: you can redistribute it and/or modify # >>>>>> # it under the terms of the GNU General Public License as published by # >>>>>> @@ -24,7 +24,7 @@ >>>>>> >>>>>> include Config >>>>>> >>>>>> -VER = 3.5.1 >>>>>> +VER = 3.6 >>>>>> >>>>>> THISAPP = nettle-$(VER) >>>>>> DL_FILE = $(THISAPP).tar.gz >>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>>>> >>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>>> >>>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >>>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >>>>>> >>>>>> install : $(TARGET) >>>>>> >>>>>> -- >>>>>> 2.17.1 >> >
Hi, cachemgr.cgi is in fact an ELF binary. I don't know why it was named 'cgi'. Best, Matthias On 14.05.2020 12:43, Michael Tremer wrote: > Hi, > > Oh. This is indeed a very long list of files. > > Since we are already shipping quite a bit of them, I would urge Arne to merge this into c145. > > Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid). > > I have no idea why cachemgr.cgi matches though. > > Best, > -Michael > >> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >> >> Hi, >> >> On 13.05.2020 12:55, Michael Tremer wrote: >>> Hi, >>> >>> I found my script! >> >> YES! ;-) >> >>> I have committed it to the repository and sent a patch. Please have a look. >> >> Looked. Seems to work. >> >> And it would have taken me much longer to write such a script. Great >> you've found it. >> >>> I have also added a simple shortcut for make.sh. >>> >>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library. >>> >>> You can also pass multiple libraries at once. >> >> I took a ride on a Core144 build with: >> >> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7 >> >> I wanted to know which libraries would be affected by the nettle 3.6 update. >> >> Result (I cut '/git/ipfire.../build/'): >> >> /usr/bin/virt-admin >> /usr/bin/ivshmem-server >> /usr/bin/bsdtar >> /usr/bin/nettle-lfib-stream >> /usr/bin/qemu-i386 >> /usr/bin/qemu-edid >> /usr/bin/squidclient >> /usr/bin/qemu-system-arm >> /usr/bin/qemu-arm >> /usr/bin/virt-host-validate >> /usr/bin/danetool >> /usr/bin/certtool >> /usr/bin/bsdcat >> /usr/bin/qemu-pr-helper >> /usr/bin/bsdcpio >> /usr/bin/qemu-system-x86_64 >> /usr/bin/qemu-img >> /usr/bin/ping >> /usr/bin/ivshmem-client >> /usr/bin/nettle-pbkdf2 >> /usr/bin/pkcs1-conv >> /usr/bin/sexp-conv >> /usr/bin/qemu-io >> /usr/bin/dnsdist >> /usr/bin/qemu-x86_64 >> /usr/bin/kdig >> /usr/bin/qemu-nbd >> /usr/bin/elf2dmp >> /usr/bin/qemu-system-i386 >> /usr/bin/nettle-hash >> /usr/bin/virsh >> /usr/libexec/qemu-bridge-helper >> /usr/libexec/libvirt_iohelper >> /usr/sbin/libvirtd >> /usr/sbin/virtlockd >> /usr/sbin/virtlogd >> /usr/sbin/cups-genppd.5.2 >> /usr/sbin/squid >> /usr/lib/libvirt.so.0.5006.0 >> /usr/lib/libvirt-admin.so.0.5006.0 >> /usr/lib/libhogweed.so.5.0 >> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so >> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so >> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so >> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so >> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so >> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so >> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so >> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so >> /usr/lib/libvirt/lock-driver/lockd.so >> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so >> /usr/lib/libvirt-qemu.so.0.5006.0 >> /usr/lib/cups/filter/commandtocanon >> /usr/lib/cups/filter/rastertogutenprint.5.2 >> /usr/lib/cups/filter/commandtoepson >> /usr/lib/cups/driver/gutenprint.5.2 >> /usr/lib/squid/negotiate_wrapper_auth >> /usr/lib/squid/digest_ldap_auth >> /usr/lib/squid/ntlm_fake_auth >> /usr/lib/squid/basic_radius_auth >> /usr/lib/squid/digest_file_auth >> /usr/lib/squid/basic_ncsa_auth >> /usr/lib/squid/cachemgr.cgi >> /usr/lib/squid/digest_edirectory_auth >> /usr/lib/libgnutls.so.30.23.2 >> /usr/lib/libvirt-lxc.so.0.5006.0 >> /usr/lib/libarchive.so.13.4.0 >> /srv/web/ipfire/cgi-bin/cachemgr.cgi >> >> Looks like we would need a compat version? >> >> Best, >> Matthias >> >>> Best, >>> -Michael >>> >>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer@ipfire.org> wrote: >>>> >>>> Hi, >>>> >>>> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it. >>>> >>>> I would recommend the following: >>>> >>>> 1) Have a function that takes a binary name and returns whether it matches or not. >>>> >>>> 2) Have a second function that finds all binary files and calls the function from 1). >>>> >>>> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it. >>>> >>>> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to. >>>> >>>> You can run this instead: >>>> >>>> root@michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED >>>> 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] >>>> 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] >>>> 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] >>>> >>>> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know. >>>> >>>> readelf is in the binutils package. >>>> >>>> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it. >>>> >>>> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well. >>>> >>>> Please feel free to ask questions :) >>>> >>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>>> >>>>> Hi, >>>>> >>>>> On 01.05.2020 15:17, Michael Tremer wrote: >>>>>> Hi, >>>>>> >>>>>> Do we know if anything else but gnutls links against this? >>>>> >>>>> Me: no => Please don't merge this patch. >>>>> >>>>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. >>>>> >>>>> You're right. IIRC, I read about a similiar problem a while ago. And it >>>>> sucks... >>>>> >>>>> What I'm not sure about: >>>>> Would testing all binaries one by one with 'ldd' be sufficient enough? >>>>> >>>>> ToDo: >>>>> I thought about it. I'll try to write a script that loops through (all) >>>>> binaries and throws a message if an appropriate - missing - library (in >>>>> this case: libhogweed or libnettle) was found. >>>>> >>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd >>>>> [PROGRAM_NAME]', filtering the output. >>>>> >>>>> And just in case: has anyone here ever programmed anything like this >>>>> already? >>>> >>>> I wrote such a script when we migrated OpenSSL, but I do not have it any more :) >>>> >>>> I should have kept it. >>>> >>>> -Michael >>>> >>>>> >>>>> I don't want to "reinvent the wheel" unnecessarily... ;-) >>>>> >>>>> Opinions? >>>>> >>>>> Best, >>>>> Matthias >>>>> >>>> >>>> -Michael >>>> >>>>>> -Michael >>>>>> >>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>>>>> >>>>>>> For details see: >>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >>>>>>> >>>>>>> This update also requires updating gnutls to '3.6.13'. >>>>>>> >>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>>>>> --- >>>>>>> config/rootfiles/common/nettle | 11 +++++++---- >>>>>>> lfs/nettle | 6 +++--- >>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-) >>>>>>> >>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >>>>>>> index 58e3f57a0..20a269a8b 100644 >>>>>>> --- a/config/rootfiles/common/nettle >>>>>>> +++ b/config/rootfiles/common/nettle >>>>>>> @@ -23,6 +23,7 @@ >>>>>>> #usr/include/nettle/cmac.h >>>>>>> #usr/include/nettle/ctr.h >>>>>>> #usr/include/nettle/curve25519.h >>>>>>> +#usr/include/nettle/curve448.h >>>>>>> #usr/include/nettle/des.h >>>>>>> #usr/include/nettle/dsa-compat.h >>>>>>> #usr/include/nettle/dsa.h >>>>>>> @@ -32,6 +33,7 @@ >>>>>>> #usr/include/nettle/ecdsa.h >>>>>>> #usr/include/nettle/eddsa.h >>>>>>> #usr/include/nettle/gcm.h >>>>>>> +#usr/include/nettle/gostdsa.h >>>>>>> #usr/include/nettle/gosthash94.h >>>>>>> #usr/include/nettle/hkdf.h >>>>>>> #usr/include/nettle/hmac.h >>>>>>> @@ -61,16 +63,17 @@ >>>>>>> #usr/include/nettle/sha1.h >>>>>>> #usr/include/nettle/sha2.h >>>>>>> #usr/include/nettle/sha3.h >>>>>>> +#usr/include/nettle/siv-cmac.h >>>>>>> #usr/include/nettle/twofish.h >>>>>>> #usr/include/nettle/umac.h >>>>>>> #usr/include/nettle/version.h >>>>>>> #usr/include/nettle/xts.h >>>>>>> #usr/include/nettle/yarrow.h >>>>>>> usr/lib/libhogweed.so >>>>>>> -usr/lib/libhogweed.so.5 >>>>>>> -usr/lib/libhogweed.so.5.0 >>>>>>> +usr/lib/libhogweed.so.6 >>>>>>> +usr/lib/libhogweed.so.6.0 >>>>>>> #usr/lib/libnettle.so >>>>>>> -usr/lib/libnettle.so.7 >>>>>>> -usr/lib/libnettle.so.7.0 >>>>>>> +usr/lib/libnettle.so.8 >>>>>>> +usr/lib/libnettle.so.8.0 >>>>>>> #usr/lib/pkgconfig/hogweed.pc >>>>>>> #usr/lib/pkgconfig/nettle.pc >>>>>>> diff --git a/lfs/nettle b/lfs/nettle >>>>>>> index cc34b1fad..de7428121 100644 >>>>>>> --- a/lfs/nettle >>>>>>> +++ b/lfs/nettle >>>>>>> @@ -1,7 +1,7 @@ >>>>>>> ############################################################################### >>>>>>> # # >>>>>>> # IPFire.org - A linux based firewall # >>>>>>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>>>>>> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>>>>>> # # >>>>>>> # This program is free software: you can redistribute it and/or modify # >>>>>>> # it under the terms of the GNU General Public License as published by # >>>>>>> @@ -24,7 +24,7 @@ >>>>>>> >>>>>>> include Config >>>>>>> >>>>>>> -VER = 3.5.1 >>>>>>> +VER = 3.6 >>>>>>> >>>>>>> THISAPP = nettle-$(VER) >>>>>>> DL_FILE = $(THISAPP).tar.gz >>>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>>>>> >>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>>>> >>>>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >>>>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >>>>>>> >>>>>>> install : $(TARGET) >>>>>>> >>>>>>> -- >>>>>>> 2.17.1 >>> >> >
Oh. > On 14 May 2020, at 12:35, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Hi, > > cachemgr.cgi is in fact an ELF binary. > > I don't know why it was named 'cgi'. > > Best, > Matthias > > On 14.05.2020 12:43, Michael Tremer wrote: >> Hi, >> >> Oh. This is indeed a very long list of files. >> >> Since we are already shipping quite a bit of them, I would urge Arne to merge this into c145. >> >> Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid). >> >> I have no idea why cachemgr.cgi matches though. >> >> Best, >> -Michael >> >>> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>> >>> Hi, >>> >>> On 13.05.2020 12:55, Michael Tremer wrote: >>>> Hi, >>>> >>>> I found my script! >>> >>> YES! ;-) >>> >>>> I have committed it to the repository and sent a patch. Please have a look. >>> >>> Looked. Seems to work. >>> >>> And it would have taken me much longer to write such a script. Great >>> you've found it. >>> >>>> I have also added a simple shortcut for make.sh. >>>> >>>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which binary links to this library. >>>> >>>> You can also pass multiple libraries at once. >>> >>> I took a ride on a Core144 build with: >>> >>> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7 >>> >>> I wanted to know which libraries would be affected by the nettle 3.6 update. >>> >>> Result (I cut '/git/ipfire.../build/'): >>> >>> /usr/bin/virt-admin >>> /usr/bin/ivshmem-server >>> /usr/bin/bsdtar >>> /usr/bin/nettle-lfib-stream >>> /usr/bin/qemu-i386 >>> /usr/bin/qemu-edid >>> /usr/bin/squidclient >>> /usr/bin/qemu-system-arm >>> /usr/bin/qemu-arm >>> /usr/bin/virt-host-validate >>> /usr/bin/danetool >>> /usr/bin/certtool >>> /usr/bin/bsdcat >>> /usr/bin/qemu-pr-helper >>> /usr/bin/bsdcpio >>> /usr/bin/qemu-system-x86_64 >>> /usr/bin/qemu-img >>> /usr/bin/ping >>> /usr/bin/ivshmem-client >>> /usr/bin/nettle-pbkdf2 >>> /usr/bin/pkcs1-conv >>> /usr/bin/sexp-conv >>> /usr/bin/qemu-io >>> /usr/bin/dnsdist >>> /usr/bin/qemu-x86_64 >>> /usr/bin/kdig >>> /usr/bin/qemu-nbd >>> /usr/bin/elf2dmp >>> /usr/bin/qemu-system-i386 >>> /usr/bin/nettle-hash >>> /usr/bin/virsh >>> /usr/libexec/qemu-bridge-helper >>> /usr/libexec/libvirt_iohelper >>> /usr/sbin/libvirtd >>> /usr/sbin/virtlockd >>> /usr/sbin/virtlogd >>> /usr/sbin/cups-genppd.5.2 >>> /usr/sbin/squid >>> /usr/lib/libvirt.so.0.5006.0 >>> /usr/lib/libvirt-admin.so.0.5006.0 >>> /usr/lib/libhogweed.so.5.0 >>> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so >>> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so >>> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so >>> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so >>> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so >>> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so >>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so >>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so >>> /usr/lib/libvirt/lock-driver/lockd.so >>> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so >>> /usr/lib/libvirt-qemu.so.0.5006.0 >>> /usr/lib/cups/filter/commandtocanon >>> /usr/lib/cups/filter/rastertogutenprint.5.2 >>> /usr/lib/cups/filter/commandtoepson >>> /usr/lib/cups/driver/gutenprint.5.2 >>> /usr/lib/squid/negotiate_wrapper_auth >>> /usr/lib/squid/digest_ldap_auth >>> /usr/lib/squid/ntlm_fake_auth >>> /usr/lib/squid/basic_radius_auth >>> /usr/lib/squid/digest_file_auth >>> /usr/lib/squid/basic_ncsa_auth >>> /usr/lib/squid/cachemgr.cgi >>> /usr/lib/squid/digest_edirectory_auth >>> /usr/lib/libgnutls.so.30.23.2 >>> /usr/lib/libvirt-lxc.so.0.5006.0 >>> /usr/lib/libarchive.so.13.4.0 >>> /srv/web/ipfire/cgi-bin/cachemgr.cgi >>> >>> Looks like we would need a compat version? >>> >>> Best, >>> Matthias >>> >>>> Best, >>>> -Michael >>>> >>>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer@ipfire.org> wrote: >>>>> >>>>> Hi, >>>>> >>>>> Yes, I think that it would be a good idea to add a script to tools/ that takes a library name and returns a list of all files (with potentially even the package name) so that we can quickly find out what linked against it. >>>>> >>>>> I would recommend the following: >>>>> >>>>> 1) Have a function that takes a binary name and returns whether it matches or not. >>>>> >>>>> 2) Have a second function that finds all binary files and calls the function from 1). >>>>> >>>>> You can then either collect the file list and scan the root files later to find what package that file is in and simply list the package names in the end. But I guess that is probably already a stretch goal and a first version of the script does not need it. >>>>> >>>>> I would recommend using readelf instead of ldd, because ldd runs the runtime linker and lists all libraries that were pulled in. That means that if you have a command /bin/command which links again liba.so and liba.so links against libb.so, then ldd lists both libraries. We might ship more files then than we need to. >>>>> >>>>> You can run this instead: >>>>> >>>>> root@michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEEDED >>>>> 0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.6] >>>>> 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] >>>>> 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] >>>>> >>>>> These are all libraries that /bin/bash needs directly on my system, and that is what we want to know. >>>>> >>>>> readelf is in the binutils package. >>>>> >>>>> We could later add a command to make.sh that mounts the chroot environment and then runs the script inside it. >>>>> >>>>> For performance I would recommend using find to search for binary files. You will probably have to scan everything, but should only consider files that are executable. We should not have any binaries that are not executable. The script might indeed run for a little moment, but readelf should already be much quicker than ldd, because it will only parse one file and not all linked libraries as well. >>>>> >>>>> Please feel free to ask questions :) >>>>> >>>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> On 01.05.2020 15:17, Michael Tremer wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Do we know if anything else but gnutls links against this? >>>>>> >>>>>> Me: no => Please don't merge this patch. >>>>>> >>>>>>> The library so version has been bumped, and we might need a compat-version if we can. Or potentially symlinks. >>>>>> >>>>>> You're right. IIRC, I read about a similiar problem a while ago. And it >>>>>> sucks... >>>>>> >>>>>> What I'm not sure about: >>>>>> Would testing all binaries one by one with 'ldd' be sufficient enough? >>>>>> >>>>>> ToDo: >>>>>> I thought about it. I'll try to write a script that loops through (all) >>>>>> binaries and throws a message if an appropriate - missing - library (in >>>>>> this case: libhogweed or libnettle) was found. >>>>>> >>>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd >>>>>> [PROGRAM_NAME]', filtering the output. >>>>>> >>>>>> And just in case: has anyone here ever programmed anything like this >>>>>> already? >>>>> >>>>> I wrote such a script when we migrated OpenSSL, but I do not have it any more :) >>>>> >>>>> I should have kept it. >>>>> >>>>> -Michael >>>>> >>>>>> >>>>>> I don't want to "reinvent the wheel" unnecessarily... ;-) >>>>>> >>>>>> Opinions? >>>>>> >>>>>> Best, >>>>>> Matthias >>>>>> >>>>> >>>>> -Michael >>>>> >>>>>>> -Michael >>>>>>> >>>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>>>>>> >>>>>>>> For details see: >>>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog >>>>>>>> >>>>>>>> This update also requires updating gnutls to '3.6.13'. >>>>>>>> >>>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>>>>>> --- >>>>>>>> config/rootfiles/common/nettle | 11 +++++++---- >>>>>>>> lfs/nettle | 6 +++--- >>>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-) >>>>>>>> >>>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle >>>>>>>> index 58e3f57a0..20a269a8b 100644 >>>>>>>> --- a/config/rootfiles/common/nettle >>>>>>>> +++ b/config/rootfiles/common/nettle >>>>>>>> @@ -23,6 +23,7 @@ >>>>>>>> #usr/include/nettle/cmac.h >>>>>>>> #usr/include/nettle/ctr.h >>>>>>>> #usr/include/nettle/curve25519.h >>>>>>>> +#usr/include/nettle/curve448.h >>>>>>>> #usr/include/nettle/des.h >>>>>>>> #usr/include/nettle/dsa-compat.h >>>>>>>> #usr/include/nettle/dsa.h >>>>>>>> @@ -32,6 +33,7 @@ >>>>>>>> #usr/include/nettle/ecdsa.h >>>>>>>> #usr/include/nettle/eddsa.h >>>>>>>> #usr/include/nettle/gcm.h >>>>>>>> +#usr/include/nettle/gostdsa.h >>>>>>>> #usr/include/nettle/gosthash94.h >>>>>>>> #usr/include/nettle/hkdf.h >>>>>>>> #usr/include/nettle/hmac.h >>>>>>>> @@ -61,16 +63,17 @@ >>>>>>>> #usr/include/nettle/sha1.h >>>>>>>> #usr/include/nettle/sha2.h >>>>>>>> #usr/include/nettle/sha3.h >>>>>>>> +#usr/include/nettle/siv-cmac.h >>>>>>>> #usr/include/nettle/twofish.h >>>>>>>> #usr/include/nettle/umac.h >>>>>>>> #usr/include/nettle/version.h >>>>>>>> #usr/include/nettle/xts.h >>>>>>>> #usr/include/nettle/yarrow.h >>>>>>>> usr/lib/libhogweed.so >>>>>>>> -usr/lib/libhogweed.so.5 >>>>>>>> -usr/lib/libhogweed.so.5.0 >>>>>>>> +usr/lib/libhogweed.so.6 >>>>>>>> +usr/lib/libhogweed.so.6.0 >>>>>>>> #usr/lib/libnettle.so >>>>>>>> -usr/lib/libnettle.so.7 >>>>>>>> -usr/lib/libnettle.so.7.0 >>>>>>>> +usr/lib/libnettle.so.8 >>>>>>>> +usr/lib/libnettle.so.8.0 >>>>>>>> #usr/lib/pkgconfig/hogweed.pc >>>>>>>> #usr/lib/pkgconfig/nettle.pc >>>>>>>> diff --git a/lfs/nettle b/lfs/nettle >>>>>>>> index cc34b1fad..de7428121 100644 >>>>>>>> --- a/lfs/nettle >>>>>>>> +++ b/lfs/nettle >>>>>>>> @@ -1,7 +1,7 @@ >>>>>>>> ############################################################################### >>>>>>>> # # >>>>>>>> # IPFire.org - A linux based firewall # >>>>>>>> -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # >>>>>>>> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>>>>>>> # # >>>>>>>> # This program is free software: you can redistribute it and/or modify # >>>>>>>> # it under the terms of the GNU General Public License as published by # >>>>>>>> @@ -24,7 +24,7 @@ >>>>>>>> >>>>>>>> include Config >>>>>>>> >>>>>>>> -VER = 3.5.1 >>>>>>>> +VER = 3.6 >>>>>>>> >>>>>>>> THISAPP = nettle-$(VER) >>>>>>>> DL_FILE = $(THISAPP).tar.gz >>>>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>>>>>> >>>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>>>>> >>>>>>>> -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 >>>>>>>> +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a >>>>>>>> >>>>>>>> install : $(TARGET) >>>>>>>> >>>>>>>> -- >>>>>>>> 2.17.1 >>>> >>> >> >
diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle index 58e3f57a0..20a269a8b 100644 --- a/config/rootfiles/common/nettle +++ b/config/rootfiles/common/nettle @@ -23,6 +23,7 @@ #usr/include/nettle/cmac.h #usr/include/nettle/ctr.h #usr/include/nettle/curve25519.h +#usr/include/nettle/curve448.h #usr/include/nettle/des.h #usr/include/nettle/dsa-compat.h #usr/include/nettle/dsa.h @@ -32,6 +33,7 @@ #usr/include/nettle/ecdsa.h #usr/include/nettle/eddsa.h #usr/include/nettle/gcm.h +#usr/include/nettle/gostdsa.h #usr/include/nettle/gosthash94.h #usr/include/nettle/hkdf.h #usr/include/nettle/hmac.h @@ -61,16 +63,17 @@ #usr/include/nettle/sha1.h #usr/include/nettle/sha2.h #usr/include/nettle/sha3.h +#usr/include/nettle/siv-cmac.h #usr/include/nettle/twofish.h #usr/include/nettle/umac.h #usr/include/nettle/version.h #usr/include/nettle/xts.h #usr/include/nettle/yarrow.h usr/lib/libhogweed.so -usr/lib/libhogweed.so.5 -usr/lib/libhogweed.so.5.0 +usr/lib/libhogweed.so.6 +usr/lib/libhogweed.so.6.0 #usr/lib/libnettle.so -usr/lib/libnettle.so.7 -usr/lib/libnettle.so.7.0 +usr/lib/libnettle.so.8 +usr/lib/libnettle.so.8.0 #usr/lib/pkgconfig/hogweed.pc #usr/lib/pkgconfig/nettle.pc diff --git a/lfs/nettle b/lfs/nettle index cc34b1fad..de7428121 100644 --- a/lfs/nettle +++ b/lfs/nettle @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 3.5.1 +VER = 3.6 THISAPP = nettle-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 0e5707b418c3826768d41130fbe4ee86 +$(DL_FILE)_MD5 = c45ee24ed7361dcda152a035d396fe8a install : $(TARGET)