! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
Xfce's autotools should disable static libs by default when initializing libt...
Status:
RESOLVED: FIXED
Product:
Xfce4-dev-tools
Component:
General

Comments

Description Samuli Suominen 2010-12-05 18:21:21 CET
All libtool versions prior to 2.2.6b release are vulnerable to serious issue:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3736

It's not a Xfce problem, but I'm just saying there's no need to care about older version than 2.2.6b anymore. Therefore we can use the new syntax for packages:

Remove any AC_PROG_LIBTOOL (and if there is AC_DISABLE_STATIC, that too) and replace it with this:

LT_PREREQ([2.2.6])
LT_INIT([disable-static])

That's the new libtool syntax starting from 2.2.6:

http://www.gnu.org/software/libtool/manual/html_node/LT_005fINIT.html

If someone really wants static libraries/archives out of Xfce4 packages, he can still override it with --enable-static (propably not useful at all on any *nix systems, but it's still there :)

This is from Thunar's and libxfce4ui's configure.ac. This is correct for old syntax so I suggest updating it too to be consistent.

AC_DISABLE_STATIC()
AC_PROG_LIBTOOL()

  --enable-static[=PKGS]  build static libraries [default=no]
  --enable-shared[=PKGS]  build shared libraries [default=yes]


This is from xfdesktop's configure.ac. This is missing the call to disable static libs by default.

AC_PROG_LIBTOOL

  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-static[=PKGS]  build static libraries [default=yes] <- eww!


And these are affected as well:

exo
garcon
libxfce4util
libxfcegui4
xfce4-panel
xfce4-session
xfce4-settings
xfconf
xfdesktop

And most of plugins, but because most plugins are not libraries but executables it's not a real issue for them. However, these plugins are exceptions to that rule and build a library too:

thunar-shares-plugin
xfce4-datetime-plugin (see bug 6659 I already had filed before)
xfce4-notes-plugin
xfce4-playercontrol-plugin
xfce4-sensors-plugin



Overall this would reduce the compile time of Xfce packages and would save distribution maintainers the need to call --disable-static by hand in Package manager's rules (debian/rules, ebuild, PKGBUILD, etc.).   And it also saves HDD space in the end :)
Comment 1 Nick Schermer editbugs 2010-12-05 19:04:57 CET
Moving to dev tools.
Comment 2 Nick Schermer editbugs 2010-12-05 20:25:46 CET
Created attachment 3236 
Update dev tools for LT_PREREQ

First of all I recommend the patch above. It makes autogen work with LT_PREREQ and warns if AC_PROG_LIBTOOL is used.
Comment 3 Nick Schermer editbugs 2010-12-09 09:20:44 CET
While we're at this, we also might consider bumping some other minimum versions.

I suggest the following versions:
automake 1.9 (we use 1.8 in various places, 1.10/1.11 has some known security issues, but 1.11.1 is very new).
libtool 2.2.6 (for new macro).
autoconf 2.60 (we use 2.50 mostly, but a small bump doesn't hurt', 2.60 is around a long time, xorg also used 2.60).

See also http://live.gnome.org/GnomeGoals/ModernAutotools, but those versions are too new without any reason.

I think the versions above are very reasonable, so if nobody has any objections, I'll patch the core conponents and apply the dev-tools patch, so other will slowly move to the new libtool macro too.
Comment 4 Samuli Suominen 2010-12-09 16:01:03 CET
(In reply to comment #3)
> While we're at this, we also might consider bumping some other minimum
> versions.
> I suggest the following versions:
> automake 1.9 (we use 1.8 in various places, 1.10/1.11 has some known security
> issues, but 1.11.1 is very new).

libtool 2.4 dropped support entirely for older than 1.9, so this makes sense :)
+1 from me
Comment 5 Mike Massonnet editbugs 2011-11-01 17:54:54 CET
Nick, can you apply the patch? It doesn't look like anyone would complain against it, and if they do as written in comment 1 you can still decide to install static libraries.
Comment 6 Nick Schermer editbugs 2011-11-03 19:30:54 CET
Ok pushed the fix.

For those who read this bug for more information, please

AC_DISABLE_STATIC()
AC_PROG_LIBTOOL()

in configure.ac.in to

LT_PREREQ([2.2.6])
LT_INIT([disable-static])

Bug #6920

Reported by:
Samuli Suominen
Reported on: 2010-12-05
Last modified on: 2011-11-03

People

Assignee:
Nick Schermer
CC List:
4 users

Version

Attachments

Update dev tools for LT_PREREQ (1.35 KB, patch)
2010-12-05 20:25 CET , Nick Schermer
no flags

Additional information