From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: OpenSSL 1.1.0c security update required
Date: Tue, 15 Nov 2016 14:09:05 -0500
Message-ID: <20161115190905.GA1941@jasmine>
References: <20161111014018.GA19957@jasmine>
 <87zil5ndtj.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50792)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1c6j6W-0001ft-5S
	for guix-devel@gnu.org; Tue, 15 Nov 2016 14:09:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1c6j6S-0006ML-Ul
	for guix-devel@gnu.org; Tue, 15 Nov 2016 14:09:12 -0500
Content-Disposition: inline
In-Reply-To: <87zil5ndtj.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org


--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 12, 2016 at 12:21:44PM +0100, Ludovic Court=C3=A8s wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > They changed how library runpaths are recorded at build time, and so our
> > packaging no longer works:
> >
> > https://github.com/openssl/openssl/pull/1699
>=20
> I would expect ld-wrapper to do the right thing regardless of what
> OpenSSL=E2=80=99s build system does, no?

So far, we've had to do some extra work in the openssl-next package
definition:

(add-after 'configure 'patch-runpath
  (lambda* (#:key outputs #:allow-other-keys)
    (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
      (substitute* "Makefile.shared"
        (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
         (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
                        " -Wl,-rpath," lib)))
      #t)))))))))

This phase still works to help OpenSSL's libraries find the libssl and
libcrypto libraries, but the OpenSSL executable itself now lacks a
reference to those libraries:

starting phase `validate-runpath'
validating RUNPATH of 5 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprg=
qpv6v-openssl-1.1.0c/lib"...
validating RUNPATH of 1 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprg=
qpv6v-openssl-1.1.0c/bin"...
/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: err=
or: depends on 'libssl.so.1.1', which cannot be found in RUNPATH ("/gnu/sto=
re/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7r6r=
684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0=
dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..")
/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: err=
or: depends on 'libcrypto.so.1.1', which cannot be found in RUNPATH ("/gnu/=
store/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7=
r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0=
xq0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..=
")
validating RUNPATH of 0 binaries in "/gnu/store/wdzvwl9kx3iiq4fk2qyxg7sjxqq=
2qx3x-openssl-1.1.0c-static/lib"...
phase `validate-runpath' failed after 0.0 seconds
builder for `/gnu/store/ja9xpivxkfvbm2p6zs1vicdkk4ppq1is-openssl-1.1.0c.drv=
' failed with exit code 1

Upstream discussion:
https://github.com/openssl/openssl/pull/1688
https://github.com/openssl/openssl/pull/1699

My understanding is that this change was made for openssl@1.0.2 as well,
so we will need to address it for the next big OpenSSL update. We should
try packaging a Git snapshot of 1.0.2 now, so that we are ready.

--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYK11MAAoJECZG+jC6yn8IwJAQAMrcCZCIZTP5bBHYBssH2hEZ
xjgb21ASfSaDw6nEZ4xLqJDMBkl+mZTKArBZJGa7nSS/oAqq1iE4juGMgQ9ffa+b
mzqYCFpfuFrLTc+2MnhvjNYmruTwCZ7JIAD1vK+kd+nKoBGQw2pV6yjRVpz7eJgy
GmbYH9FeyFQ9fa0Z8bZoZ0YPvxkuRYrEQKho5FbfaLc4z9H+SUFN0wPQX2eiWWjN
GJe1oAw9FbrkwIFGXG9ZdyfzkhP6G+FljVix3F/5SGTe8H84vJg2HW/39H9PCJHQ
qv2d1hDMZcaBjKq7/cdTkzabB/Xy5pNVrs7n9zRM1bseg836V0Kck++Lju2ctADf
0QGOHMVjqXbuz4subaD/6mG0L86cOvYu0dlponFiTuLX60r7/tTbA6AZeQZ4zCar
J/hJn1DtjDF+DIGU+xEMtGH2OpGUzBJVsU2BZB0F53n1bqPcOXPsJ/YhVcxiO9uf
VakbEOG9l0NWASUY0af56CPIqZu++iSgwGX8rlBm3josEz0H0Obory3vY3jj2RRe
pqg3YQ6OVuRrf9SwhyIohIJlhW3vIc8O1A8/jkPqleu3GEoPnjTSMgHapN+pBgUC
4cshQXGRfHHTFKc5QwljuW+7eKbo8HAnFfK0C0zdWKyWJaoWIB83cSoFQILFUn+n
qaHMAhYawJAyLuqMEFqn
=KoB/
-----END PGP SIGNATURE-----

--SUOF0GtieIMvvwua--