Bug#909267: library-not-linked-against-libc: downgrade from error

To: Chris Lamb <lamby@debian.org>
Cc: Jeremy Bicha <jbicha@debian.org>, 909267@bugs.debian.org, naesten@gmail.com
Subject: Bug#909267: library-not-linked-against-libc: downgrade from error
From: Simon McVittie <smcv@debian.org>
Date: Thu, 20 Sep 2018 21:37:14 +0100
Message-id: <[🔎] 20180920203714.GA10668@espresso.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 909267@bugs.debian.org
In-reply-to: <[🔎] 1537461750.2004232.1514996608.71C30A1F@webmail.messagingengine.com>
References: <[🔎] CAAajCMb1+2fU47vrP-ZLxBGVrWb4HJGEx3aanNnPZ=2nDoZ-1A@mail.gmail.com> <[🔎] 1537461750.2004232.1514996608.71C30A1F@webmail.messagingengine.com> <[🔎] CAAajCMb1+2fU47vrP-ZLxBGVrWb4HJGEx3aanNnPZ=2nDoZ-1A@mail.gmail.com>

On Thu, 20 Sep 2018 at 17:42:30 +0100, Chris Lamb wrote:
> > "I think that tag is too high-priority tbh. In frameworks like GLib
> > and Qt it's far from unusual to do everything with higher-level
> > functions and not use libc directly at all, and -Wl,--as-needed turns
> > that into no dependency.
> 
> Before we downgrade it and/or suggest overriding, is there not a way of
> detecting such false-positives? That would be a better outcome overall,
> no?

Was the goal of this tag to tell the difference between libraries that
are linked to their dependencies, and libraries that aren't, like the
difference between these?

$ gcc -shared -Wl,-soname,libbad.so.0 -olibbad.so.0 libhello.c `pkg-config --cflags glib-2.0`
$ gcc -shared -Wl,-soname,libgood.so.0 -olibgood.so.0 libhello.c `pkg-config --cflags --libs glib-2.0`

(where libhello.c[1] calls a GLib function, in this example)

I'm not sure how effective this tag actually is in detecting libraries not
being linked to their dependencies, because both libraries above end up
with a DT_NEEDED tag for libc.so.6 anyway (unless I use -Wl,--as-needed,
which is what's causing GNOME to trigger this tag so often).

One way to detect this problem if your libraries are native and you don't
mind arbitrary code execution is to dlopen() them and see what happens,
but I assume that isn't acceptable for Lintian.

Another is to link a trivial program[2] to the library with -Wl,-z,defs
(and without -Wl,--as-needed):

$ gcc -Wl,-z,defs -ohello hello.c libgood.so.0; echo $?
0
$ gcc -Wl,-z,defs -ohello hello.c libbad.so.0; echo $?
/usr/bin/ld: libbad.so.0: undefined reference to `g_print'
1

but again that probably isn't acceptable for Lintian, because it needs
a linker of the same architecture as the library.

Checking that the library has at least one DT_NEEDED tag
(objdump -Tx libgood.so.0 | grep NEEDED is a crude version of this)
is probably as good as checking for libc specifically? But that's still
not very good - it would fail to detect my libbad.so.0 above, and so would
current Lintian.

Regards,
    smcv

[1]
#include <glib.h>

void
hello (void)
{
  g_print ("hello");
}

[2]
int
main (void)
{
  return 0;
}

Reply to:

Follow-Ups:
- Bug#909267: library-not-linked-against-libc: downgrade from error
  - From: Chris Lamb <lamby@debian.org>

References:
- Bug#909267: library-not-linked-against-libc: downgrade from error
  - From: Jeremy Bicha <jbicha@debian.org>
- Bug#909267: library-not-linked-against-libc: downgrade from error
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Build failed in Jenkins: lintian-tests_sid #3236
Next by Date: Bug#909239: lintian: ancient-python-version-field is wrong
Previous by thread: Processed: Re: Bug#909267: library-not-linked-against-libc: downgrade from error
Next by thread: Bug#909267: library-not-linked-against-libc: downgrade from error
Index(es):
- Date
- Thread