Ludovic Courtès writes: > Hello Marius, > > Marius Bakke skribis: > >> Attached is a security update for WPA Supplicant. >> >> The new version toggles a lot of build-time options to more closely >> resemble what Debian and Arch do. Unfortunately the new defaults >> appears to require OpenSSL instead of GnuTLS. > > What happens when you keep CONFIG_TLS=gnutls? The linker fails to find a lot of OpenSSL interfaces. Short excerpt: ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point': /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY' ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group' ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free' Omitting the OpenSSL input makes it fail earlier due to lack of headers. >> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Tue, 30 Apr 2019 00:05:36 +0200 >> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes]. >> >> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, >> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555. >> >> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8. >> [source](snippet): New field. Disable D-Bus. >> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y. Change CONFIG_TLS to >> use OpenSSL rather than GnuTLS. >> [inputs]: Remove GNUTLS and LIBGCRYPT. Add OPENSSL-NEXT. >> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y. > > [...] > >> + (substitute* "wpa_supplicant/defconfig" >> + ;; Disable D-Bus by default. >> + (("^CONFIG_CTRL_IFACE_DBUS_" line _) >> + (string-append "#" line))) > > This change is unrelated to the upgrade, right? It would break Connman > (which expects to talk to wpa_supplicant over D-Bus), as well as > NetworkManager probably, no? Or am I missing something? The distinguishing feature between "wpa-supplicant-minimal" and "wpa-supplicant" is D-Bus support. Upstream enabled D-Bus by default in version 2.8, so I toggled it back with the snippet above so "wpa-supplicant-minimal" stays the same. However I notice now that the new "wpa-supplicant-minimal" has D-Bus in its closure even though the D-Bus interface is disabled. So I'm not sure if it makes sense to have the separate -minimal variant anymore. The size of both wpa-supplicant variants are 102.4MiB after this patch, down from 157.4 and 143.1 MiB on the Guix master branch. Thoughts?