For information: upstream has a new maintainer and sent me this message. ---------- Weitergeleitete Nachricht ---------- Betreff: Re: New Gringotts (pre)release Datum: Donnerstag, 4. Oktober 2007 Von: Shlomi Fish <shlomif-lkml@freehackers.org> An: Bastian Kleineidam <calvin@debian.org> On Wednesday 03 October 2007, Bastian Kleineidam wrote: > I attached the individual patches (also found in the debian/patches dir of > the source). > OK, here is how I applied them: 1. 01_adjust_docdir.dpatch : Basically what it does is: <<<<<<<<<< - grg_display_file (DOCDIR "/FAQ"); + grg_display_file ("/usr/share/doc/gringotts/FAQ"); >>>>>>>>>> Which hard-codes a different DOCDIR directory. What I did instead was convert gringotts to use autoconf-2.61, and then propagate the --docdir parameter to -DDOCDIR in Makefile.am (and Makefile.in and Makefile). So you can specify a different --docdir at ./configure time. (Although with --prefix=/usr the default should now be OK.) 2. 02_pixmap_32x32.dpatch This patch seems useful so I applied it. However, I patched Makefile.am instead of Makefile.in, which in turn will generate Makefile.in. 3. 03_nostrip.dpatch: <<<<<< install-exec-local: - strip $(DESTDIR)$(bindir)/gringotts chmod u+s $(DESTDIR)$(bindir)/gringotts >>>>>> I don't understand the motivation for this patch. I can remove the "strip" call from Makefile.am, but why should I do that? I'd like to hear your reasoning. 4. 04_pango_free.dpatch Already applied in the repository. Skipping. 6. 06_check_regcomp_ret.dpatch Looks nice. Applied. Thanks! 7. 07_check_ulimit.dpatch Well, I like the direction of this patch. However: 7.a) There's a bug: <<<<<<<<< return (X >= a && Y >= b && Z >= c); >>>>>>> What if I give it kernel "2.8.0" as input (where a,b,c is 2.6.9)? It will fail. I fixed it in my patch. (attached). 7.b) I made sure to "#ifdef linux" the relevant parts that check the Linux-kernel so it won't fail on non-Linux systems. ------------ This patch is now applied to the repository. 8. 08_german_translation.dpatch This seems to fix the German translation. However, I'm not sure the line numbers are the same, and I don't have much experience with it. After I release 1.2.9-pre2, I'd appreciate it if you can commit a new translation to the repository or send me an "svn diff". 9. 09_check_key.dpatch I could see the two bugs fixed by this patch. However, I did not like the approach you took that load_file() returns the possibly different filename. Instead, what I did was change it to have the absolute filename as a different variable and then clean it up at the end of the function (while using "goto cleanup". The second issue (with the "verkey"), I applied as is. It is now in the repository. 10. 10_find_again.dpatch My patch and it's already applied. 11. 11_find_focus.dpatch My patch and it's already applied. 12. 12_cpp_comments.dpatch This patch for replacing C++-style comments ("//") with ANSI C style comments ("/* ... */") is a good idea. I applied it, bug got rejects, and eventually had to do a lot of "manual" (i.e using Vim macros) work. 13. 13_compiler_warnings.dpatch I applied a lot of this patch (there were some leftovers from a different patch), and eliminated some other warnings. ====================== That's it. You can find the latest version at: http://svn.berlios.de/svnroot/repos/gringotts/gringotts/trunk The latest svn revision as of now is "60". If all goes well, then I'll release a new version (gringotts-1.2.9-pre2) based on it. Regards, Shlomi Fish
Index: src/grg_safe.c =================================================================== --- src/grg_safe.c (revision 55) +++ src/grg_safe.c (working copy) @@ -33,6 +33,7 @@ #include <stdlib.h> #include <string.h> +#include <errno.h> #include <regex.h> #include <unistd.h> #include <fcntl.h> @@ -45,6 +46,9 @@ #include <sys/time.h> #include <sys/types.h> #include <sys/resource.h> +#ifdef linux +#include <sys/utsname.h> +#endif #include <sys/stat.h> #include <stdio.h> @@ -56,6 +60,38 @@ ptrace_safe = FALSE; static gint safety_level = GRG_SAFE; +#ifdef linux +/* check if current kernel release X.Y.Z is greater or equal than a.b.c */ +static gboolean grg_kver_ge (int a, int b, int c) { + struct utsname uval; + char *s1, *s2, *s3; + char* release; + int X, Y, Z; + uname(&uval); + release = uval.release; + s1 = strsep(&release, "."); + s2 = strsep(&release, "."); + s3 = strsep(&release, "."); + if (s1==NULL || s2==NULL || s3==NULL) { + /* unknown kernel version, assume FALSE */ + return FALSE; + } + X = atoi(s1); + Y = atoi(s2); + Z = atoi(s3); + return + ((X > a) || + ( + (X ==a) && + ( + (Y > b) || + ((Y == b) && (Z >= c)) + ) + ) + ); +} +#endif + gboolean grg_mlockall_and_drop_root_privileges(void) { @@ -73,6 +109,31 @@ // order to avoid swapping. { #ifdef HAVE_MLOCKALL +#ifdef linux + if (grg_kver_ge(2, 6, 9)) { + // since Linux 2.6.9, the memlock amount of unprivileged processes + // is limited to the soft limit of RLIMIT_MEMLOCK + // Check if there is at least 50000 KB available (which should be + // ok for most usages). Else there can be nasty segmentation + // faults due to failing malloc() calls and missing NULL checks in + // unrelated libraries (eg. libX11 functions). + struct rlimit rl; + gint res = getrlimit(RLIMIT_MEMLOCK, &rl); + gint minbytes = 50000*1024; + if (res) { + g_critical(_("Cannot get MEMLOCK resource limit: %s"), + strerror(errno)); + return FALSE; + } + if (rl.rlim_cur < minbytes) { + g_critical(_("Increase the memory locking limit to at least " + "%d bytes. Current limit: %d bytes.\n" + "See /usr/share/doc/gringotts/README.Debian for directions."), + minbytes, rl.rlim_cur); + return FALSE; + } + } +#endif gint res = mlockall(MCL_CURRENT | MCL_FUTURE); if (res) {
Attachment:
signature.asc
Description: This is a digitally signed message part.