For information: upstream has a new maintainer and sent me this message.
---------- Weitergeleitete Nachricht ----------
Betreff: Re: New Gringotts (pre)release
Datum: Donnerstag, 4. Oktober 2007
Von: Shlomi Fish <shlomif-lkml@freehackers.org>
An: Bastian Kleineidam <calvin@debian.org>
On Wednesday 03 October 2007, Bastian Kleineidam wrote:
> I attached the individual patches (also found in the debian/patches dir of
> the source).
>
OK, here is how I applied them:
1. 01_adjust_docdir.dpatch :
Basically what it does is:
<<<<<<<<<<
- grg_display_file (DOCDIR "/FAQ");
+ grg_display_file ("/usr/share/doc/gringotts/FAQ");
>>>>>>>>>>
Which hard-codes a different DOCDIR directory. What I did instead was convert
gringotts to use autoconf-2.61, and then propagate the --docdir parameter
to -DDOCDIR in Makefile.am (and Makefile.in and Makefile). So you can specify
a different --docdir at ./configure time. (Although with --prefix=/usr the
default should now be OK.)
2. 02_pixmap_32x32.dpatch
This patch seems useful so I applied it. However, I patched Makefile.am
instead of Makefile.in, which in turn will generate Makefile.in.
3. 03_nostrip.dpatch:
<<<<<<
install-exec-local:
- strip $(DESTDIR)$(bindir)/gringotts
chmod u+s $(DESTDIR)$(bindir)/gringotts
>>>>>>
I don't understand the motivation for this patch. I can remove the "strip"
call from Makefile.am, but why should I do that? I'd like to hear your
reasoning.
4. 04_pango_free.dpatch
Already applied in the repository. Skipping.
6. 06_check_regcomp_ret.dpatch
Looks nice. Applied. Thanks!
7. 07_check_ulimit.dpatch
Well, I like the direction of this patch. However:
7.a) There's a bug:
<<<<<<<<<
return (X >= a && Y >= b && Z >= c);
>>>>>>>
What if I give it kernel "2.8.0" as input (where a,b,c is 2.6.9)? It will
fail. I fixed it in my patch. (attached).
7.b) I made sure to "#ifdef linux" the relevant parts that check the
Linux-kernel so it won't fail on non-Linux systems.
------------
This patch is now applied to the repository.
8. 08_german_translation.dpatch
This seems to fix the German translation. However, I'm not sure the line
numbers are the same, and I don't have much experience with it. After I
release 1.2.9-pre2, I'd appreciate it if you can commit a new translation to
the repository or send me an "svn diff".
9. 09_check_key.dpatch
I could see the two bugs fixed by this patch. However, I did not like the
approach you took that load_file() returns the possibly different filename.
Instead, what I did was change it to have the absolute filename as a
different variable and then clean it up at the end of the function (while
using "goto cleanup".
The second issue (with the "verkey"), I applied as is. It is now in the
repository.
10. 10_find_again.dpatch
My patch and it's already applied.
11. 11_find_focus.dpatch
My patch and it's already applied.
12. 12_cpp_comments.dpatch
This patch for replacing C++-style comments ("//") with ANSI C style comments
("/* ... */") is a good idea. I applied it, bug got rejects, and eventually
had to do a lot of "manual" (i.e using Vim macros) work.
13. 13_compiler_warnings.dpatch
I applied a lot of this patch (there were some leftovers from a different
patch), and eliminated some other warnings.
======================
That's it.
You can find the latest version at:
http://svn.berlios.de/svnroot/repos/gringotts/gringotts/trunk
The latest svn revision as of now is "60".
If all goes well, then I'll release a new version (gringotts-1.2.9-pre2) based
on it.
Regards,
Shlomi Fish
Index: src/grg_safe.c
===================================================================
--- src/grg_safe.c (revision 55)
+++ src/grg_safe.c (working copy)
@@ -33,6 +33,7 @@
#include <stdlib.h>
#include <string.h>
+#include <errno.h>
#include <regex.h>
#include <unistd.h>
#include <fcntl.h>
@@ -45,6 +46,9 @@
#include <sys/time.h>
#include <sys/types.h>
#include <sys/resource.h>
+#ifdef linux
+#include <sys/utsname.h>
+#endif
#include <sys/stat.h>
#include <stdio.h>
@@ -56,6 +60,38 @@
ptrace_safe = FALSE;
static gint safety_level = GRG_SAFE;
+#ifdef linux
+/* check if current kernel release X.Y.Z is greater or equal than a.b.c */
+static gboolean grg_kver_ge (int a, int b, int c) {
+ struct utsname uval;
+ char *s1, *s2, *s3;
+ char* release;
+ int X, Y, Z;
+ uname(&uval);
+ release = uval.release;
+ s1 = strsep(&release, ".");
+ s2 = strsep(&release, ".");
+ s3 = strsep(&release, ".");
+ if (s1==NULL || s2==NULL || s3==NULL) {
+ /* unknown kernel version, assume FALSE */
+ return FALSE;
+ }
+ X = atoi(s1);
+ Y = atoi(s2);
+ Z = atoi(s3);
+ return
+ ((X > a) ||
+ (
+ (X ==a) &&
+ (
+ (Y > b) ||
+ ((Y == b) && (Z >= c))
+ )
+ )
+ );
+}
+#endif
+
gboolean
grg_mlockall_and_drop_root_privileges(void)
{
@@ -73,6 +109,31 @@
// order to avoid swapping.
{
#ifdef HAVE_MLOCKALL
+#ifdef linux
+ if (grg_kver_ge(2, 6, 9)) {
+ // since Linux 2.6.9, the memlock amount of unprivileged processes
+ // is limited to the soft limit of RLIMIT_MEMLOCK
+ // Check if there is at least 50000 KB available (which should be
+ // ok for most usages). Else there can be nasty segmentation
+ // faults due to failing malloc() calls and missing NULL checks in
+ // unrelated libraries (eg. libX11 functions).
+ struct rlimit rl;
+ gint res = getrlimit(RLIMIT_MEMLOCK, &rl);
+ gint minbytes = 50000*1024;
+ if (res) {
+ g_critical(_("Cannot get MEMLOCK resource limit: %s"),
+ strerror(errno));
+ return FALSE;
+ }
+ if (rl.rlim_cur < minbytes) {
+ g_critical(_("Increase the memory locking limit to at least "
+ "%d bytes. Current limit: %d bytes.\n"
+ "See /usr/share/doc/gringotts/README.Debian for directions."),
+ minbytes, rl.rlim_cur);
+ return FALSE;
+ }
+ }
+#endif
gint res = mlockall(MCL_CURRENT | MCL_FUTURE);
if (res) {
Attachment:
signature.asc
Description: This is a digitally signed message part.