Currently dev-db/mysql-connector-c uses the bundled versions of app-arch/lz4 and app-arch/zstd instead of trying to use the system provided ones. This results in a library larger than needed and may have security implications if security issues affecting either of the two libraries are found. Reproducible: Always Steps to Reproduce: 1. emerge dev-db/mysql-connector-c Actual Results: bundled lz4 and zstd are used Expected Results: system provided lz4 and zstd are used
Created attachment 655996 [details] ebuild making use of the system provided libraries Here is a patched version of the ebuild.
Could you please tell us how came to this conclusion? I might be missing something but for me, client is *not* linking against app-arch/lz4 and app-arch/zstd. How did I verify? I built *server* without out patch set (our patch set is removing client libs) so that we also build client libs. When I now check libmysqlclient.so, neither lz4 nor zstd is getting linked: > # lddtree /var/tmp/portage/dev-db/mysql-8.0.21/image/usr/lib64/libmysqlclient.so.21.1.21 > libmysqlclient.so.21.1.21 => /var/tmp/portage/dev-db/mysql-8.0.21/image/usr/lib64/libmysqlclient.so.21.1.21 (interpreter => none) > libdl.so.2 => /lib64/libdl.so.2 > libz.so.1 => /lib64/libz.so.1 > libssl.so.1.1 => /usr/lib64/libssl.so.1.1 > libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 > libpthread.so.0 => /lib64/libpthread.so.0 > libstdc++.so.6 => /usr/lib/gcc/x86_64-pc-linux-gnu/9.3.0/libstdc++.so.6 > libm.so.6 => /lib64/libm.so.6 > libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/9.3.0/libgcc_s.so.1 > libc.so.6 => /lib64/libc.so.6 > ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2
OK, we are installing lz4_decompress and zstd is getting linked somehow when you don't build server. Incoming fix... But I'd still like to know how you catched this.
(In reply to Thomas Deutschmann from comment #3) > OK, we are installing lz4_decompress and zstd is getting linked somehow when > you don't build server. Incoming fix... > > But I'd still like to know how you catched this. I have a really old server and when doing an upgrade, you can almost read the compilation lines given how slow it goes. The zstd code takes particularly long to compile so I saw it as I was recompiling mysql-connector-c to address another issue. I then downloaded the sources, did some manual tests on a faster system checking the configure options and noticed that the build system needs that you manually request use of system libraries for these two (I was even more intrigued by the fact that lz4 was already a dependency). Some testing and lots of configure output reading later and a bit of compile output checking (for zstd the number of files is particularly revealing) I could conclude: * lz4 and zstd need to be hinted when running the configure step. * None of the other libraries (CURL, EDITLINE, ICU, LIBEVENT and PROTOBUF) seemed to be used by the connector code. You have a listing of these at SET(SYSTEM_LIBRARIES on the CMakeLists.txt file but that covers both mysqld and the connector.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfc4d2b105b5f2f5dd519e394d85ae865fc37429 commit bfc4d2b105b5f2f5dd519e394d85ae865fc37429 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-22 20:16:56 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-22 20:24:39 +0000 dev-db/mysql: use app-arch/zstd from system Bug: https://bugs.gentoo.org/738462 Package-Manager: Portage-3.0.3, Repoman-3.0.0 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-db/mysql/{mysql-8.0.21.ebuild => mysql-8.0.21-r1.ebuild} | 2 ++ 1 file changed, 2 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0982a0a2f5719bcf6af5a8407731e8ca5c9fbd4 commit e0982a0a2f5719bcf6af5a8407731e8ca5c9fbd4 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-22 19:42:23 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-22 20:24:39 +0000 dev-db/mysql-connector-c: use app-arch/{lz4,zstd} from system Bug: https://bugs.gentoo.org/738462 Package-Manager: Portage-3.0.3, Repoman-3.0.0 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> ...ector-c-8.0.21-r1.ebuild => mysql-connector-c-8.0.21-r2.ebuild} | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Whissi, take into account that the CMake file for mysql (not the connector) lists a few other libraries. I can test how they are used if you want but that will have to wait a lot more.
Feel free to test but all good now from my POV. Thank you for the explanation how you catched this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab5e3b6e61ded724acf221cde6f0de8b8ac63a4a commit ab5e3b6e61ded724acf221cde6f0de8b8ac63a4a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-10-08 22:56:12 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-10-08 23:45:21 +0000 dev-db/percona-server: use app-arch/zstd from system Bug: https://bugs.gentoo.org/738462 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> ...na-server-8.0.20.11-r1.ebuild => percona-server-8.0.20.11-r2.ebuild} | 2 ++ 1 file changed, 2 insertions(+)