FS#64416 - [gettext] depends on libcroco, but uses internal static copy instead
Attached to Project:
Arch Linux
Opened by Eli Schwartz (eschwartz) - Thursday, 07 November 2019, 04:32 GMT
Last edited by Allan McRae (Allan) - Monday, 28 February 2022, 10:15 GMT
Opened by Eli Schwartz (eschwartz) - Thursday, 07 November 2019, 04:32 GMT
Last edited by Allan McRae (Allan) - Monday, 28 February 2022, 10:15 GMT
|
Details
The gettext package has a dependency on the libcroco
package, but does not link to libcroco-0.6.so -- running
makepkg reveals that when configuring libtextstyle it is
ending up with the following options:
checking whether to use the included libcroco... yes checking whether to use the included glib... yes checking whether to use the included libxml... yes The package should be fixed to link correctly to the system copy. Note: at the same time, libcroco and libxml2 really need to be moved to [core], because core packages should only depend on core and depending on packages in another repository means an update to its dependencies doesn't have an enforced [testing] period and can therefore break the package. Note2: libxml2 is correctly linked to by /usr/lib/libgettextsrc-0.20.1.so, if not by libtextstyle, and therefore libxml2 would need to be moved to core even if the internal copy of libcroco was kept. |
This task depends upon
Closed by Allan McRae (Allan)
Monday, 28 February 2022, 10:15 GMT
Reason for closing: Fixed
Additional comments about closing: gettext-0.21-2
Monday, 28 February 2022, 10:15 GMT
Reason for closing: Fixed
Additional comments about closing: gettext-0.21-2
What isn't intentional though is that gettext links against included AND system libxml2 now.
For security reasons using system libxml2 and libcroco would be better though: gettext is not released very often, it includes libxml2 version 2.9.9 and they have one buffer overrun patch applied to their local version, which is not in a public gettext release. Upstream libxml2 is at 2.9.10 and includes a massive amount of security fixes.
I would propose to revert the upstream change by changing libtextstyle/gnulib-m4/gnulib-comp.m4. Lines to change are gl_LIBCROCO([yes]), gl_LIBGLIB([yes]) and gl_LIBXML([yes]). "yes" should become "no".
I'll make a patch devendoring glib2 and libxml2, but leaving the included libcroco.
Though hardly maintained upstream, we have more users of libcroco, so the package will not go away soon.
In addition to that: the bump to 0.6.13 was done post-release. The 0.6.13 release contains a security fix that has been sitting in GNOME git for 2 years. Gettext 0.20.1 doesn't have the fix.
This doesn't work. The build doesn't use the needed include dirs and fails, no matter which of the three you try to devendor.
The only other users are librsvg and gnome-shell; the former was already ported in master and the blog post talks about porting the latter.
https://src.fedoraproject.org/rpms/gettext/blob/master/f/gettext.spec#_183
https://src.fedoraproject.org/rpms/gettext/blob/master/f/gettext.spec#_201
Also, unrelated to this bug, there's an additional libtool script that we don't patch with the sed hack in the PKGBUILD.
Recommendation for distros is to bundle libcroco internally for the few projects that still needs it or even better drop it if possible: https://src.fedoraproject.org/rpms/gettext/c/093dcc4088340167126723346095247ed336c9d0?branch=master.
Considering that gettext currently doesn't use system wide libcroco at all and as a part of base group is very common among Arch users I think dropping libcroco dep is a no brainer here. After that cinnamon will be the only package in repos runtime depending in libcroco.
http://git.savannah.gnu.org/cgit/gettext.git/commit/DEPENDENCIES?id=32f5208257a411d7e5d88171b4812d0eb1f4cd41
- gettext now uses builtin copies of libcroco and glib2 and does not provide a way of using external versions.
- we should use internal libcroco anyway, as we want this package gone from the repos
- gettext uses a internal subset of libxml2. There is a configure option that apparently allows building against libxml2, but it seems to do nothing...
- we can adjust the libtextstyle/gnulib-m4/gnulib-comp.m4 to try and force full libxml2 usage, but that causes failures due to old configure files and autoconf versions...
- libxml2 still is linked in for some parts of the build.
While it is better from a security standpoint to not use the internal versions of the library, the upstream developers have made it clear this is what they intend. So I am going to remove the libcroco dependency, add libxml2 (because it is directly linked in some places) and upload that as an intermediate solution.