Ubuntu
squid package

FFe: disable NIS basic auth helper, doesn't build with glibc 2.32

Bug #1895694 reported by Balint Reczey
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Fix Released
Undecided
Unassigned
Squid
Unknown
Unknown
squid (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Disable the NIS basic authentication helper.

TL;DR I think it's less risky to disable NIS than to try to port this basic auth helper to use tirpc. Both approaches will require an FFe.

A diff can be seen in the linked MP.

Please let me know if you prefer the tirpc approach, it would take longer though.

Longer explanation follows

The NIS basic auth helper needs rpc.h which is no longer provided by glibc 2.32[1]. An alternative is to use libtirpc, and I tried that in another branch[2], but here are the reasons for not doing that:
- the patch is a bit more complicated
- I don't really fancy testing NIS
- who still uses NIS?
- I have no idea if tirpc is a drop-in replacement like that (goes back to testing this, listed above)

Fedora dropped this helper in 2018[3] exactly because of the rpc deprecation in glibc:
* Wed Jan 17 2018 Luboš Uhliarik <email address hidden> - 7:4.0.22-1
- new version 4.0.22
- Removed NIS helper (#1531540)

I tried to use libtirpc in [2], and it builds and the executable runs, but the remarks I made above about NIS remains. Plus, there are some unknowns in this attempt of mine:
- dpkg-shlibdeps didn't flag libtirpc as a needed dependency
- ldd shows libtirpc, but objdump -x ... | grep NEEDED doesn't. Looks like dpkg-shlibdeps only goes over the NEEDED deps shown by objdump -x
- I think ldd, being recursive, found libtirpc via libnsl, which is one of the NEEDED deps in objdump
- adding -ltirpc to the linking phase of that helper means changing an autoconf file, and calling autoreconf. That introduced (or revealed?) a bug where mime.conf was no longer instaled in /usr/share/squid, but in /etc/squid. So I had to fix that too
- the helper builds even without -ltirpc in the linking phase, which would simplify the branch a bit as I wouldn't have to regenerate the Makefile, but I wonder why it builds...

If I can be sure not having to use -ltirpc is correct, and not that it worked by just pure chance, then maybe the libtirpc approach has some merit, but it would still need testing, and find out why the new dependency wasn't added automatically by shlibs. Adding it manually to depends is icky.

Anyway, that is the story :)

PPA with NIS disabled: https://launchpad.net/~ahasenack/+archive/ubuntu/squid-ftbfs-nis
PPA with NIS using libtirpc, with the above caveats not addressed: https://launchpad.net/~ahasenack/+archive/ubuntu/squid-ftbfs-nis-using-tirpc (forgive the messy changelog, it came straight out of WIP commits)

1. https://sourceware.org/pipermail/libc-announce/2020/000029.html
2. https://code.launchpad.net/~ahasenack/ubuntu/+source/squid/+git/squid/+ref/groovy-squid-use-tirpc
3. https://bugzilla.redhat.com/show_bug.cgi?id=1531540

[Original Description]

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-groovy/groovy/amd64/s/squid/20200911_180749_36a1a@/log.gz

...
checking for sys/types.h... yes
checking for rpc/rpc.h... no
checking for rpcsvc/ypclnt.h... yes
checking for rpcsvc/yp_prot.h... no
checking for crypt.h... (cached) yes
autopkgtest [17:59:58]: test upstream-test-suite: -----------------------]
upstream-test-suite FAIL non-zero exit status 2

Glibc 2.32 stopped shipping rpc/rpc.h and other RPC development files. Software projects are recommended to switch to TI-RPC.
https://sourceware.org/pipermail/libc-announce/2020/000029.html

See original description

Related branches

~sergiodj/ubuntu/+source/squid:merge-5.7-1-lunar
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 1212 lines (+1039/-2)
9 files modified
debian/NEWS (+7/-0)
debian/changelog (+794/-0)
debian/control (+3/-2)
debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch (+65/-0)
debian/patches/90-cf.data.ubuntu.patch (+22/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+28/-0)
debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch (+89/-0)
debian/patches/series (+4/-0)
debian/usr.sbin.squid (+27/-0)
~sergiodj/ubuntu/+source/squid:merge-5.6-1-kinetic
Christian Ehrhardt  (community): Needs Fixing
Canonical Server Reporter: Pending requested
Diff: 1142 lines (+976/-2)
9 files modified
debian/NEWS (+7/-0)
debian/changelog (+735/-0)
debian/control (+3/-2)
debian/patches/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch (+65/-0)
debian/patches/90-cf.data.ubuntu.patch (+22/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+24/-0)
debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch (+89/-0)
debian/patches/series (+4/-0)
debian/usr.sbin.squid (+27/-0)
~sergiodj/ubuntu/+source/squid:merge-5.2-1-jammy
Robie Basak: Needs Fixing
Canonical Server: Pending requested
Diff: 1015 lines (+856/-2)
9 files modified
debian/NEWS (+7/-0)
debian/changelog (+647/-0)
debian/control (+3/-2)
debian/patches/90-cf.data.ubuntu.patch (+22/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/fix-max-pkt-sz-for-icmpEchoData-padding.patch (+89/-0)
debian/patches/series (+4/-0)
debian/patches/workaround-gcc11-wstringop-overread-bug.patch (+35/-0)
debian/usr.sbin.squid (+27/-0)
~ahasenack/ubuntu/+source/squid:groovy-squid-drop-nis
Lucas Kanashiro (community): Approve
Canonical Server: Pending requested
Diff: 42 lines (+14/-1)
3 files modified
debian/NEWS (+7/-0)
debian/changelog (+6/-0)
debian/rules (+1/-1)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This is actually an FTBFS, as the dep8 test is rebuilding squid. The missing line from the above output is complaining about the NIS auth helper:

(...)
checking for rpcsvc/ypclnt.h... yes
checking for rpcsvc/yp_prot.h... no
checking for crypt.h... (cached) yes
configure: error: Basic auth helper NIS ... found but cannot be built
make: *** [/usr/share/cdbs/1/class/autotools.mk:46: debian/stamp-autotools] Error 1
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2

tags: added: ftbfs
summary: - autopkgtest fails in groovy with glibc 2.32
+ autopkgtest fails in groovy with glibc 2.32, also FTBFS
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: autopkgtest fails in groovy with glibc 2.32, also FTBFS

This seems to be coming from /usr/include/rpcsvc/yp_prot.h, shipped by libnsl-dev:
...
configure:30653: checking for rpcsvc/ypclnt.h
configure:30653: x86_64-linux-gnu-g++ -c -I/usr/include/p11-kit-1 -g -O2 -fdebug-prefix-map=/home/ubuntu/deb/squid/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/libxml2 conftest.cpp >&5
configure:30653: $? = 0
configure:30653: result: yes
configure:30653: checking for rpcsvc/yp_prot.h
configure:30653: x86_64-linux-gnu-g++ -c -I/usr/include/p11-kit-1 -g -O2 -fdebug-prefix-map=/home/ubuntu/deb/squid/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/libxml2 conftest.cpp >&5
In file included from conftest.cpp:164:
/usr/include/rpcsvc/yp_prot.h:10:10: fatal error: rpc/rpc.h: No such file or directory
   10 | #include <rpc/rpc.h>
      | ^~~~~~~~~~~

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

But of course rpc.h is also checked for and needed. I quickly tested and libnsl still builds, yet it ships that include file that also includes rpc/rpc.h

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Fedora disabled the NIS helper in 2018 https://bugzilla.redhat.com/show_bug.cgi?id=1531540

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Sorry, I meant to paste this too:
* Wed Jan 17 2018 Luboš Uhliarik <email address hidden> - 7:4.0.22-1
- new version 4.0.22
- Removed NIS helper (#1531540)

We either port this to tirpc, or drop the NIS helper, in which case we need an FFe for this bug.

Andreas Hasenack (ahasenack)
summary: - autopkgtest fails in groovy with glibc 2.32, also FTBFS
+ FFe: disable NIS basic auth helper, doesn't build with glibc 2.32
description: updated
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Added release-notes task in case the FFe is approved as-is, by dropping the NIS basic auth module.

description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Builds are fine in the ppa with proposed enabled (https://launchpad.net/~ahasenack/+archive/ubuntu/squid-ftbfs-nis/+packages).

DEP8 with propose also passes:
...
autopkgtest [12:31:27]: test squid: - - - - - - - - - - results - - - - - - - - - -
squid PASS
autopkgtest [12:31:27]: @@@@@@@@@@@@@@@@@@@@ summary
upstream-test-suite PASS
squid PASS

real 15m41,017s

$ grep proposed dep8/log |head
autopkgtest [12:15:52]: host nsnx; command line: /usr/bin/autopkgtest -o dep8 -U -s -B --apt-pocket=proposed '--setup-commands=sudo add-apt-repository ppa:ahasenack/squid-ftbfs-nis -y -s; sudo apt-get update' ./squid/ -- lxd ubuntu-daily:groovy
Get:1 http://br.archive.ubuntu.com/ubuntu groovy-proposed InRelease [118 kB]
Get:2 http://br.archive.ubuntu.com/ubuntu groovy-proposed/main amd64 Packages [134 kB]
Get:3 http://br.archive.ubuntu.com/ubuntu groovy-proposed/main Translation-en [49.3 kB]
Get:4 http://br.archive.ubuntu.com/ubuntu groovy-proposed/main amd64 c-n-f Metadata [3392 B]
...

Revision history for this message
Steve Langasek (vorlon) wrote :

FFe granted to drop the NIS helper.

Changed in squid (Ubuntu):
status: New → Confirmed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I added an entry to the groovy release notes at https://discourse.ubuntu.com/t/groovy-gorilla-release-notes/15533

Changed in ubuntu-release-notes:
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid - 4.13-1ubuntu2

---------------
squid (4.13-1ubuntu2) groovy; urgency=medium

  * d/rules, d/NEWS: drop the NIS basic auth helper (LP: #1895694)

 -- Andreas Hasenack <email address hidden> Thu, 17 Sep 2020 18:19:42 -0300

Changed in squid (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.