[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1095785: marked as done (src:xorg-server: Build xorg's X server against libnettle)

Your message dated Thu, 13 Feb 2025 09:28:36 +0000
with message-id <E1tiVWO-00DK7A-4F@fasolo.debian.org>
and subject line Bug#1095785: fixed in xorg-server 2:21.1.15-3
has caused the Debian Bug report #1095785,
regarding src:xorg-server: Build xorg's X server against libnettle
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1095785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095785
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: xorg-server
Version: 2:21.1.15-2
Severity: wishlist
Tags: patch

Hi Xserver maintainers!

Please consider building the X.org xserver against nettle for its
implementation of sha1.  nettle is likely to already be installed on
upcoming debian systems, since apt depends on sqv, which depends on
libnettle.

We already build xserver against libnettle statically for the udeb, so
we know that it works as a sha1 backend.

I've prepared a short patch series that makes xserver depend directly on
nettle for the normal .deb, not just the udeb.

You can find it here:

   https://salsa.debian.org/xorg-team/xserver/xorg-server/-/merge_requests/15

I'm also including those changes against the debian-unstable branch in
this message, but since the most complex one is a diff of debian/patches
it might be easier to make sense of it on the salsa MR.

I hope this is helpful!

   --dkg

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.6-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled


From b39f35ef926de752001b5efaa15f9e10ef9900ef Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 11 Feb 2025 18:53:47 -0500
Subject: [PATCH 1/3] Use statically linked nettle from upstream

Upstream has merged this change, see
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1756

This should let us build the udeb cleanly, leaving the ability to
build against a non-static nettle in the normal build.
---
 ...-enable-static-use-of-Nettle-for-SHA1.diff | 50 +++++++++++++++++++
 debian/patches/03_static-nettle.diff          | 19 -------
 debian/patches/series                         |  4 +-
 debian/rules.flags                            |  2 +-
 4 files changed, 52 insertions(+), 23 deletions(-)
 create mode 100644 debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff
 delete mode 100644 debian/patches/03_static-nettle.diff

diff --git a/debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff b/debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff
new file mode 100644
index 000000000..16029538d
--- /dev/null
+++ b/debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff
@@ -0,0 +1,50 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 3 Jan 2025 14:41:59 -0500
+Subject: autotools: enable static use of Nettle for SHA1
+
+Debian builds xserver 21 using autotools.
+
+When debian builds xserver-xorg for constrained environments like the
+installer, it wants to build against the static library of libnettle
+for SHA1, see debian/patches/03_static-nettle.diff in the debian
+repository at
+https://salsa.debian.org/xorg-team/xserver/xorg-server.git
+
+This modification of configure.ac makes it possible to build static
+nettle when needed, while preserving the build to use nettle with a
+dynamic library when passing a different configuration option.
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1756>
+(cherry picked from commit a651eefc9e525072d99413c1aeabd01858c50819)
+---
+ configure.ac | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7c24a74..fcdef39 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1509,7 +1509,7 @@ CORE_INCS='-I$(top_srcdir)/include -I$(top_builddir)/include'
+ 
+ # SHA1 hashing
+ AC_ARG_WITH([sha1],
+-            [AS_HELP_STRING([--with-sha1=libc|libmd|libnettle|libgcrypt|libcrypto|libsha1|CommonCrypto|CryptoAPI],
++            [AS_HELP_STRING([--with-sha1=libc|libmd|libnettle|nettlestatic|libgcrypt|libcrypto|libsha1|CommonCrypto|CryptoAPI],
+                             [choose SHA1 implementation])])
+ AC_CHECK_FUNC([SHA1Init], [HAVE_SHA1_IN_LIBC=yes])
+ if test "x$with_sha1" = x && test "x$HAVE_SHA1_IN_LIBC" = xyes; then
+@@ -1584,6 +1584,14 @@ if test "x$with_sha1" = xlibnettle; then
+ 	          [Use libnettle SHA1 functions])
+ 	SHA1_LIBS=-lnettle
+ fi
++if test "x$with_sha1" = xnettlestatic && test "x$HAVE_LIBNETTLE" != xyes; then
++	AC_MSG_ERROR([nettlestatic requested but libnettle not found])
++fi
++if test "x$with_sha1" = xnettlestatic; then
++	AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
++	          [Use static libnettle SHA1 functions])
++	SHA1_LIBS=-l:libnettle.a
++fi
+ AC_CHECK_LIB([gcrypt], [gcry_md_open], [HAVE_LIBGCRYPT=yes])
+ if test "x$with_sha1" = x && test "x$HAVE_LIBGCRYPT" = xyes; then
+ 	with_sha1=libgcrypt
diff --git a/debian/patches/03_static-nettle.diff b/debian/patches/03_static-nettle.diff
deleted file mode 100644
index d6878a332..000000000
--- a/debian/patches/03_static-nettle.diff
+++ /dev/null
@@ -1,19 +0,0 @@
-Link against static libnettle
-
-There's no libnettle udeb.
-
----
- configure.ac |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -1582,7 +1582,7 @@ fi
- if test "x$with_sha1" = xlibnettle; then
- 	AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
- 	          [Use libnettle SHA1 functions])
--	SHA1_LIBS=-lnettle
-+	SHA1_LIBS=-l:libnettle.a
- fi
- AC_CHECK_LIB([gcrypt], [gcry_md_open], [HAVE_LIBGCRYPT=yes])
- if test "x$with_sha1" = x && test "x$HAVE_LIBGCRYPT" = xyes; then
diff --git a/debian/patches/series b/debian/patches/series
index deb848d23..034a798f3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,7 +1,5 @@
-## Patches with a number < 100 are applied in debian.
-## Ubuntu patches start with 100.
 02_kbsd-input-devd.diff
-03_static-nettle.diff
+03_autotools-enable-static-use-of-Nettle-for-SHA1.diff
 05_Revert-Unload-submodules.diff
 06_use-intel-only-on-pre-gen4.diff
 07_use-modesetting-driver-by-default-on-GeForce.diff
diff --git a/debian/rules.flags b/debian/rules.flags
index 68cdabaf0..2543ea1bc 100644
--- a/debian/rules.flags
+++ b/debian/rules.flags
@@ -89,7 +89,7 @@ confflags_udeb = \
 	--disable-xnest \
 	--disable-kdrive \
 	--disable-xephyr \
-	--with-sha1=libnettle \
+	--with-sha1=nettlestatic \
 	$(void)
 
 ifeq ($(DEB_HOST_ARCH_OS), linux)
-- 
2.47.2


From 292c59f73b7a0634aae3cc53b345ad4611e84250 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 11 Feb 2025 18:58:45 -0500
Subject: [PATCH 2/3] Use nettle for sha1

The udeb build uses nettle for sha1.  There's no reason we can't use
nettle for the mainline build as well.  This reduces one
build-dependency.
---
 debian/control     | 1 -
 debian/rules.flags | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/debian/control b/debian/control
index 709cfca36..8b2e39977 100644
--- a/debian/control
+++ b/debian/control
@@ -20,7 +20,6 @@ Build-Depends:
  libxkbfile-dev (>= 1:0.99.1),
  libpixman-1-dev (>= 0.27.2),
  libpciaccess-dev (>= 0.12.901),
- libgcrypt-dev,
  nettle-dev,
  libudev-dev (>= 151-3) [linux-any],
  libselinux1-dev (>= 2.0.80) [linux-any],
diff --git a/debian/rules.flags b/debian/rules.flags
index 2543ea1bc..034228dba 100644
--- a/debian/rules.flags
+++ b/debian/rules.flags
@@ -59,7 +59,7 @@ confflags_main = \
 	--enable-xnest \
 	--enable-kdrive \
 	--enable-xephyr \
-	--with-sha1=libgcrypt \
+	--with-sha1=libnettle \
 	--enable-xcsecurity \
 	$(void)
 
-- 
2.47.2

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: xorg-server
Source-Version: 2:21.1.15-3
Done: Emilio Pozuelo Monfort <pochu@debian.org>

We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1095785@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated xorg-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Feb 2025 09:37:51 +0100
Source: xorg-server
Architecture: source
Version: 2:21.1.15-3
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Closes: 1095785
Changes:
 xorg-server (2:21.1.15-3) unstable; urgency=medium
 .
   [ Daniel Kahn Gillmor ]
   * Fix fuzz in apple silicon patch
   * Use statically linked nettle from upstream
   * Use nettle for sha1 (Closes: #1095785)
 .
   [ Emilio Pozuelo Monfort ]
   * Release to sid.
Checksums-Sha1:
 7920ef703230dc6b0f0ddcb5f14e2c9577afeeca 4041 xorg-server_21.1.15-3.dsc
 d308bcdd29f051da54eb3c2b0c4f61c5b3b3d5df 9025511 xorg-server_21.1.15.orig.tar.gz
 fabb4c715cef1ea0bc36e441132df07142eee12a 179659 xorg-server_21.1.15-3.diff.gz
 e78269288cc435348ec221a3c0682840d35b0f57 9655 xorg-server_21.1.15-3_source.buildinfo
Checksums-Sha256:
 6936f3bdceb70c7cec2a9dd2bc2e40d2ca45f131ff32a1c1edaa8b0189e036c5 4041 xorg-server_21.1.15-3.dsc
 f62354a5996b021615702fb6d67dd0e870e2cddba0261a833efb60f5b7d6d413 9025511 xorg-server_21.1.15.orig.tar.gz
 9a3420672c865fa9ba9c3bba91aae176c2d29b34594bb437e1454755e160231b 179659 xorg-server_21.1.15-3.diff.gz
 6541a0e6a9437dbd011b302236d7573724021382c747be9459fa6713289b6fa9 9655 xorg-server_21.1.15-3_source.buildinfo
Files:
 bffb9ec1f642da78db14ae0583c073e3 4041 x11 optional xorg-server_21.1.15-3.dsc
 9f498d56440eefadccd327da428c953b 9025511 x11 optional xorg-server_21.1.15.orig.tar.gz
 f97a1e0d7c712476405c2b9f8963916f 179659 x11 optional xorg-server_21.1.15-3.diff.gz
 ccf3a21b7ca63bd7d79bf2c18deaa677 9655 x11 optional xorg-server_21.1.15-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmettkwACgkQnUbEiOQ2
gwIJ3hAAxFLV3H4q2NbIMyeOdAZ0B8ekPUcnUyKq/+f79jIxgWscgWoMAvHFVoaR
6riDUNe8zzpntkdSzc6W6oOkhaBQHDq620oWbjw8WmV/6014UXDjK+QfEuvRXzQ9
nR7tSRRkrPD/+47oqlLXCWA/ZelEKGH3p7F4KR3Wyv+gpvB1iR6o81CtJ1ikMFZp
rG8ihgGGJyMaVGLtb1EmWKk6r2gu668r8HFkbYv+sEeFm9zept+GSzUef+uCTwZn
DLY7gWOKFDMBEgaST2ZJhp/WrlxZ0Wltv2v9y0ikEyhQFAts8fmkjrj5VVHxzcCc
zmGWrED4Kkf32xHBD9PoOJYl6vgt3pEh0WyrlfwWsC1Vw14B4zTePibLsOsaTHCj
UM734VYp4uPyHafQXCXVbWjGub/eC/cBW+KBNP415/h38fVUrCPDZ+pKoNEi5iDX
I0zXGqOz+AolTd8cdNLCJv/5hcg9nL+T6O41160O677KGgwGJOz+49UCaDhZ4UV2
FhRAdXDgn8nsxq7LUh2DNql2Cgb6QW2yA+bENUlpxRbRpqeV8CGRkMPSPoDCb+lk
Irk1nGjwA+Re7yiqYLfRaEsVQ7Aygzq/yizoA8VsIPd6Vg9PwHSTa8Wq0epoKlz9
tzrw7ftkDZtDDLI5u0YXyr9uVPKsf9MPNR1OR8U09gX+p2Tf+PY=
=cwIL
-----END PGP SIGNATURE-----

Attachment: pgpRWqIzFYs7u.pgp
Description: PGP signature


--- End Message ---
Reply to: